April 5, 2016 By Christophe Veltsos 3 min read

A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite.

IT security risks were consistently rated as a top concern regardless of roles. While “two-thirds of the C-suite views cybersecurity as a top concern that must be addressed,” the report also cautioned that “they are not clear about which elements of security present the greatest risk.” This finding might be better explained when one considers the disconnects highlighted by the study.

Well-Established Plans?

While the report found that 65 percent of C-suite respondents claim to be confident that their organization’s cybersecurity plans are well-established, not everyone in the C-suite shares the same perspective. On the IT and risk side, 77 percent of chief risk officers (CROs) and 76 percent of CIOs think of the organization’s cybersecurity plans as well-established.

However, this high confidence is not shared by the rest of the C-suite. Among CEOs, only 51 percent shared this view, the lowest level of confidence reported by all CXOs. The level of confidence rises only slightly throughout the rest of the boardroom, with 55 percent of chief financial officers (CFOs), 59 percent of chief marketing officers (CMOs) and 61 percent of chief human resource officers (CHROs) believing that the organization’s cybersecurity plans are well-established.

Source: IBM Institute for Business Value

The report warned that this disconnect “is significant because these three executives [CMOs, CFOs, CHROs] are ultimately the stewards of customer, financial and employee data — information highly coveted by cybercriminals.” Failure to appropriately engage all the stakeholders in the organization “has the potential to miss areas in business process, information management and third-party solutions” such as a department signing on to a cloud-based service without IT’s knowledge.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

A Collaborative Approach

The report found a similar disconnect when CXOs were asked to rate the degree of C-suite engagement regarding cybersecurity threat management activities.

“Compared to the CEO, finance, marketing and human resources executives, the CIO is nearly twice as confident that cybersecurity plans encompass a cross-C-suite approach and collaboration,” the report stated.

“While CIOs expressed confidence, 69 percent of C-suite participants indicated that cybersecurity plans fail to adequately incorporate cross-C-suite collaboration. At the role-specific level, almost three-fourths of CEOs, CHROs, CMOs and CFOs indicate they do not believe the cybersecurity plans include them in a cross-functional approach.”

Recommendations for the CIO or CISO

While suggestions from the report included items that CIOs and CISOs are unlikely to have the ability to change if the organization’s leadership is not already on board, the following recommendations are fully within their sphere of influence:

  • Establish a security governance model and program to encourage enterprisewide collaboration.
  • Craft foundational materials for executive-level education.
  • Include the C-suite in developing an incident response plan and share it with the board for input.
  • Enforce security standards across both IT infrastructure and business processes.

Instead of assuming that their approach to creating the next cybersecurity plan is collaborative and inclusive of stakeholders across the organization, CIOs and CISOs should explicitly ask for feedback from the rest of the C-suite. Cybersecurity has to be a team sport where the goal is to help executives come up with sensible security strategies for the organization in support of its business objectives.

CIOs and CISOs cannot be just technologists. They must become digital trust ambassadors — and, when need be, critics — to help steer the business in this era of rapid technological change, with all the opportunities and risks it presents.

For the full story, be sure to read Part 2 of this three-part series: “Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs.”

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today