April 5, 2016 By Christophe Veltsos 3 min read

A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite.

IT security risks were consistently rated as a top concern regardless of roles. While “two-thirds of the C-suite views cybersecurity as a top concern that must be addressed,” the report also cautioned that “they are not clear about which elements of security present the greatest risk.” This finding might be better explained when one considers the disconnects highlighted by the study.

Well-Established Plans?

While the report found that 65 percent of C-suite respondents claim to be confident that their organization’s cybersecurity plans are well-established, not everyone in the C-suite shares the same perspective. On the IT and risk side, 77 percent of chief risk officers (CROs) and 76 percent of CIOs think of the organization’s cybersecurity plans as well-established.

However, this high confidence is not shared by the rest of the C-suite. Among CEOs, only 51 percent shared this view, the lowest level of confidence reported by all CXOs. The level of confidence rises only slightly throughout the rest of the boardroom, with 55 percent of chief financial officers (CFOs), 59 percent of chief marketing officers (CMOs) and 61 percent of chief human resource officers (CHROs) believing that the organization’s cybersecurity plans are well-established.

Source: IBM Institute for Business Value

The report warned that this disconnect “is significant because these three executives [CMOs, CFOs, CHROs] are ultimately the stewards of customer, financial and employee data — information highly coveted by cybercriminals.” Failure to appropriately engage all the stakeholders in the organization “has the potential to miss areas in business process, information management and third-party solutions” such as a department signing on to a cloud-based service without IT’s knowledge.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

A Collaborative Approach

The report found a similar disconnect when CXOs were asked to rate the degree of C-suite engagement regarding cybersecurity threat management activities.

“Compared to the CEO, finance, marketing and human resources executives, the CIO is nearly twice as confident that cybersecurity plans encompass a cross-C-suite approach and collaboration,” the report stated.

“While CIOs expressed confidence, 69 percent of C-suite participants indicated that cybersecurity plans fail to adequately incorporate cross-C-suite collaboration. At the role-specific level, almost three-fourths of CEOs, CHROs, CMOs and CFOs indicate they do not believe the cybersecurity plans include them in a cross-functional approach.”

Recommendations for the CIO or CISO

While suggestions from the report included items that CIOs and CISOs are unlikely to have the ability to change if the organization’s leadership is not already on board, the following recommendations are fully within their sphere of influence:

  • Establish a security governance model and program to encourage enterprisewide collaboration.
  • Craft foundational materials for executive-level education.
  • Include the C-suite in developing an incident response plan and share it with the board for input.
  • Enforce security standards across both IT infrastructure and business processes.

Instead of assuming that their approach to creating the next cybersecurity plan is collaborative and inclusive of stakeholders across the organization, CIOs and CISOs should explicitly ask for feedback from the rest of the C-suite. Cybersecurity has to be a team sport where the goal is to help executives come up with sensible security strategies for the organization in support of its business objectives.

CIOs and CISOs cannot be just technologists. They must become digital trust ambassadors — and, when need be, critics — to help steer the business in this era of rapid technological change, with all the opportunities and risks it presents.

For the full story, be sure to read Part 2 of this three-part series: “Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs.”

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today