With the level of attention cyber risks are receiving, one would likely expect that the dynamics in the boardroom and the C-suite would be that of a well-functioning team on the same page, especially when it comes to governing and managing the organization’s handling of risks and preparing for the inevitable cyber incident.
Surely, both in the boardroom and in the C-suite, leaders would be devoting enough time to consider, debate and decide on the organization’s handling of cyber risks and where to focus their cybersecurity strategy. Leaders would have tweaked the organizational structure to ensure that cyber risks were not viewed as a mainly IT-driven issue. They would have embraced the idea that, no matter their industry, their organization is at risk and could be significantly impacted by a cyber incident.
As a result, leaders would have shored up their own understanding of cyberthreats or secured easy access to advisers to help them navigate this complex landscape. They would have budgeted resources to ensure the enterprise had a strong security program in place with appropriate budgets and staffing. Certainly, leaders would have understood the need to move the organization away from legacy investments in protective defenses and instead made progress toward being able to detect and quickly respond to a cyber incident.
The Reality of Cybersecurity Dynamics Is Bleak
Unfortunately, the reality on the ground is much bleaker. A 2014 EY report summarized the situation as such: “Competing demands, and an outdated understanding of the threats, crowd out the security discussion.”
The report highlighted the following reasons as to why boards and CXOs were reluctant to tackle cybersecurity:
- A crowded board-level agenda;
- Regarding cybersecurity as belonging to the IT silo;
- A misplaced sense of security that attackers won’t target their particular industry (e.g., hotels, grocery stores, etc.);
- Cyberthreats being overwhelming due to their complex and technical nature;
- Viewing cybersecurity as only a cost center; and
- The idea that organizations can be secure by stitching together enough defensive controls.
More recently, a 2016 report from the IBM Institute for Business Value, “Securing the C-Suite,” shed further light on the dynamics within the C-suite, especially among the various CXOs. IBM surveyed more than 700 executives from different countries across many industries and in various C-suite roles.
The report analyzed and categorized the cybersecurity maturity of responding organizations into three tiers. The top spot was named “cybersecured.” Those organizations “emerged as most capable and prepared on cybersecurity at the C-suite level,” the report found. “They have the most sanguine views of the risks, the need for cross-functional governance and they incorporate these risks in the organization ERM plans more than any others. Most important, among this group, the C-suite engages in a more balanced and collaborative fashion.”
The second tier was titled “growing capability,” while the third and final tier was named “unprepared.”
Leadership Must Get Involved
So how involved are top executives in their organization’s cybersecurity preparations? Among the report’s findings are that C-suite collaboration is built into the cybersecurity plan in 67 percent of the cybersecured organizations, 34 percent of growing-capability organizations and 10 percent of unprepared organizations. On a positive note, 61 percent of cybersecured organization indicated that cybersecurity was a regular topic in C-suite meetings.
Another worrisome finding from the report is an apparent disconnect between what security experts consider to be true and the perceptions from other key stakeholders in the C-Suite. Specifically, “almost three-fourths of CEOs, CHROs, CMOs and CFOs indicate they do not believe the cybersecurity plans include them in a cross-functional approach.”
When respondents were asked about the degree to which they felt included in security threat management activities in C-suite meetings, nearly 60 percent “indicated they did not feel included in the topic or participate during C-suite meetings.” The breakdown was 57 percent of CMOs, 59 percent of CHROs and 62 percent of CFOs.
Such disconnect can spell trouble if not detected and corrected. Why do CFOs, CHROs and CMOs feel left out of key conversations around cybersecurity? Is the CISO having the right conversations with the stakeholders who have what the report terms some of “the most coveted data sought by hackers”?
Recommendations for the C-Suite
The “Governance of Cybersecurity: 2015 Report” by the Georgia Tech Information Security Center recommended that organizations establish cross-organizational team meeting to “coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO and business line executives.”
Some key recommendations from the IBM report included:
- Establish a security governance model and program to encourage enterprisewide collaboration.
- Empower the CISO with the mission of managing information security risk across the enterprise and leading the initiative among the C-suite.
- Elevate and regularly discuss cybersecurity at C-suite and board meetings, and engage risk, finance, marketing, human resources and supply chain at a minimum.
- Craft foundational materials for executive-level education.
- Include the C-suite in developing an incident response plan and share it with the board for input.
Ultimately, both board directors and CXOs should work to “make cybersecurity an intrinsic part of business processes and decisions.” Yet the best way to integrate cybersecurity and business is to designate someone within the organization as the cyber risk leader, be it the CISO, a CRO or another CXO.
Risk Leadership Is Essential
As to what risk leadership entails, I am reminded of this quote from “Tomorrow’s Corporate Governance“: “This leadership is achieved through being a voice of challenge as well as a business educator and enabler, fully empowered to help the business gain a deeper appreciation of the relationship between risk, reward and strategy to enable better and more informed decisions to be taken. It involves embedding a risk culture to help the organization proactively deal with risk issues and inherent dilemmas, across and beyond the enterprise.”
All executives within the C-suite have a vested interest in ensuring that cyber risks are given proper attention, properly debated and properly handled.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato