April 12, 2016 By Christophe Veltsos 3 min read

This is the second post in a three-part series. Be sure to read Part 1 for the full story.

An Overview

A 2013 IBM report titled “Exploring the Inner Circle: Insights From the Global C-Suite Study” found that the top-performing organizations all had one quality that set them apart from their peers: collaboration. Top leadership’s view is that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.”

So how closely are CXOs collaborating? “The Customer-Activated Enterprise” study in 2013 asked each CXO which two colleagues they worked most closely with. While the CIO’s connection to the CFO is strong, the CIO-CMO and CIO-CHRO connections are evidently thin.


Source: IBM Institute for Business Value

Fast-forward to 2016: Three years after that global study, the level of collaboration within the C-suite does not appear to have changed much. In light of the rising importance of cybersecurity engagement within the C-suite, this is a worrisome finding.

The 2016 “Securing the C-Suite” report found that “the CFO, CHRO and CMO feel the least engaged in cybersecurity threat management activities, yet are the stewards of data most coveted by cybercriminals.”

The bleak findings continued, with almost three-fourths of CHROs, CMOs and CFOs indicating “they do not believe the cybersecurity plans include them in a cross-functional approach.” When CXOs were asked about their level of engagement in cybersecurity preparations, CFOs reported the lowest level of engagement at 38 percent, followed next by CHROs at 41 percent and CMOs at 43 percent.

Chief Human Resource Officer (CHRO)

While organizations are increasing their adoption of information technology, the human side of the equation should remain a constant focus in the organization’s overall cyber risk management. The CHRO installment of the study recommended that the CHRO work closely with the CIO “to design a clear device management policy.”

Chief Marketing Officer (CMO)

The CMO installment found that “where the CMO and CIO work well together, the enterprise is 76 percent more likely to outperform in terms of revenues and profitability.”

The report also recommended the CMO to “work with the CIO to build a secure and scalable cognitive analytics capability within your organization.”

Chief Financial Officer (CFO)

A 2016 Harvey Nash cybersecurity survey found that 49 percent of cybersecurity professionals surveyed reported that CFOs had “major knowledge gaps” when it comes to cybersecurity. An article by Craig Calle put the CFO’s requirements thusly: “CFOs need to step up and recognize their fiduciary duty to treat data as one of their company’s most important assets and sponsor initiatives to protect and monetize them.”

Without close collaboration from the CIO and the CISO, this task would be nearly impossible. Cybersecurity requires a symbiotic relationship between the CFO and security leaders.

Recommendations for the C-Suite

CHROs

CHROs must engage with the CIO/CISO — not just to tackle the issues around employee-owned technology such as BYOD, but also to address the need for effective, constant security awareness and anti-social engineering efforts. Technology alone cannot solve the security issue; it requires a human touch.

The 2016 “Securing the C-Suite” report commented that “as the stewards of sensitive employee personal information, which is highly coveted by hackers, CHROs should be at the forefront of their organizations’ cybersecurity efforts.”

Recommendations targeted at the HR function include protecting employees’ personal information, enforcing cybersecurity training and establishing clear job roles for all hires.

CMOs

CMOs, as consumers of increasing quantities of information including big data and the dreamy business promises of data analytics, should keep the CIO/CISO in the loop. They are allies not just from a technological enablement perspective, but also for support.

While it may be tempting to retain old customer behavior data, the concept of toxic data is something to seriously discuss with your CISO/CIO. Bruce Schneier cautioned against the thought that “because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever.” He warned that “what all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous.”

CFOs

The CFO should work collaboratively with the CIO/CISO to “incorporate the security assessment into the enterprise risk plan as appropriate” and to “establish a security governance model and program to encourage enterprisewide collaboration.”

Be sure to check back next week for the final installment of this three-part series, “Securing the C-Suite, Part 3: All Eyes on the CEO.”

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today