March 17, 2016 By Christophe Veltsos 4 min read

With the level of attention cyber risks are receiving, one would likely expect that the dynamics in the boardroom and the C-suite would be that of a well-functioning team on the same page, especially when it comes to governing and managing the organization’s handling of risks and preparing for the inevitable cyber incident.

Surely, both in the boardroom and in the C-suite, leaders would be devoting enough time to consider, debate and decide on the organization’s handling of cyber risks and where to focus their cybersecurity strategy. Leaders would have tweaked the organizational structure to ensure that cyber risks were not viewed as a mainly IT-driven issue. They would have embraced the idea that, no matter their industry, their organization is at risk and could be significantly impacted by a cyber incident.

As a result, leaders would have shored up their own understanding of cyberthreats or secured easy access to advisers to help them navigate this complex landscape. They would have budgeted resources to ensure the enterprise had a strong security program in place with appropriate budgets and staffing. Certainly, leaders would have understood the need to move the organization away from legacy investments in protective defenses and instead made progress toward being able to detect and quickly respond to a cyber incident.

The Reality of Cybersecurity Dynamics Is Bleak

Unfortunately, the reality on the ground is much bleaker. A 2014 EY report summarized the situation as such: “Competing demands, and an outdated understanding of the threats, crowd out the security discussion.”

The report highlighted the following reasons as to why boards and CXOs were reluctant to tackle cybersecurity:

  • A crowded board-level agenda;
  • Regarding cybersecurity as belonging to the IT silo;
  • A misplaced sense of security that attackers won’t target their particular industry (e.g., hotels, grocery stores, etc.);
  • Cyberthreats being overwhelming due to their complex and technical nature;
  • Viewing cybersecurity as only a cost center; and
  • The idea that organizations can be secure by stitching together enough defensive controls.

More recently, a 2016 report from the IBM Institute for Business Value, “Securing the C-Suite,” shed further light on the dynamics within the C-suite, especially among the various CXOs. IBM surveyed more than 700 executives from different countries across many industries and in various C-suite roles.

The report analyzed and categorized the cybersecurity maturity of responding organizations into three tiers. The top spot was named “cybersecured.” Those organizations “emerged as most capable and prepared on cybersecurity at the C-suite level,” the report found. “They have the most sanguine views of the risks, the need for cross-functional governance and they incorporate these risks in the organization ERM plans more than any others. Most important, among this group, the C-suite engages in a more balanced and collaborative fashion.”

The second tier was titled “growing capability,” while the third and final tier was named “unprepared.”

Leadership Must Get Involved

So how involved are top executives in their organization’s cybersecurity preparations? Among the report’s findings are that C-suite collaboration is built into the cybersecurity plan in 67 percent of the cybersecured organizations, 34 percent of growing-capability organizations and 10 percent of unprepared organizations. On a positive note, 61 percent of cybersecured organization indicated that cybersecurity was a regular topic in C-suite meetings.

Another worrisome finding from the report is an apparent disconnect between what security experts consider to be true and the perceptions from other key stakeholders in the C-Suite. Specifically, “almost three-fourths of CEOs, CHROs, CMOs and CFOs indicate they do not believe the cybersecurity plans include them in a cross-functional approach.”

When respondents were asked about the degree to which they felt included in security threat management activities in C-suite meetings, nearly 60 percent “indicated they did not feel included in the topic or participate during C-suite meetings.” The breakdown was 57 percent of CMOs, 59 percent of CHROs and 62 percent of CFOs.

Such disconnect can spell trouble if not detected and corrected. Why do CFOs, CHROs and CMOs feel left out of key conversations around cybersecurity? Is the CISO having the right conversations with the stakeholders who have what the report terms some of “the most coveted data sought by hackers”?

Recommendations for the C-Suite

The “Governance of Cybersecurity: 2015 Report” by the Georgia Tech Information Security Center recommended that organizations establish cross-organizational team meeting to “coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO and business line executives.”

Some key recommendations from the IBM report included:

  • Establish a security governance model and program to encourage enterprisewide collaboration.
  • Empower the CISO with the mission of managing information security risk across the enterprise and leading the initiative among the C-suite.
  • Elevate and regularly discuss cybersecurity at C-suite and board meetings, and engage risk, finance, marketing, human resources and supply chain at a minimum.
  • Craft foundational materials for executive-level education.
  • Include the C-suite in developing an incident response plan and share it with the board for input.

Ultimately, both board directors and CXOs should work to “make cybersecurity an intrinsic part of business processes and decisions.” Yet the best way to integrate cybersecurity and business is to designate someone within the organization as the cyber risk leader, be it the CISO, a CRO or another CXO.

Risk Leadership Is Essential

As to what risk leadership entails, I am reminded of this quote from “Tomorrow’s Corporate Governance“: “This leadership is achieved through being a voice of challenge as well as a business educator and enabler, fully empowered to help the business gain a deeper appreciation of the relationship between risk, reward and strategy to enable better and more informed decisions to be taken. It involves embedding a risk culture to help the organization proactively deal with risk issues and inherent dilemmas, across and beyond the enterprise.”

All executives within the C-suite have a vested interest in ensuring that cyber risks are given proper attention, properly debated and properly handled.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today