A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite.

IT security risks were consistently rated as a top concern regardless of roles. While “two-thirds of the C-suite views cybersecurity as a top concern that must be addressed,” the report also cautioned that “they are not clear about which elements of security present the greatest risk.” This finding might be better explained when one considers the disconnects highlighted by the study.

Well-Established Plans?

While the report found that 65 percent of C-suite respondents claim to be confident that their organization’s cybersecurity plans are well-established, not everyone in the C-suite shares the same perspective. On the IT and risk side, 77 percent of chief risk officers (CROs) and 76 percent of CIOs think of the organization’s cybersecurity plans as well-established.

However, this high confidence is not shared by the rest of the C-suite. Among CEOs, only 51 percent shared this view, the lowest level of confidence reported by all CXOs. The level of confidence rises only slightly throughout the rest of the boardroom, with 55 percent of chief financial officers (CFOs), 59 percent of chief marketing officers (CMOs) and 61 percent of chief human resource officers (CHROs) believing that the organization’s cybersecurity plans are well-established.

Source: IBM Institute for Business Value

The report warned that this disconnect “is significant because these three executives [CMOs, CFOs, CHROs] are ultimately the stewards of customer, financial and employee data — information highly coveted by cybercriminals.” Failure to appropriately engage all the stakeholders in the organization “has the potential to miss areas in business process, information management and third-party solutions” such as a department signing on to a cloud-based service without IT’s knowledge.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

A Collaborative Approach

The report found a similar disconnect when CXOs were asked to rate the degree of C-suite engagement regarding cybersecurity threat management activities.

“Compared to the CEO, finance, marketing and human resources executives, the CIO is nearly twice as confident that cybersecurity plans encompass a cross-C-suite approach and collaboration,” the report stated.

“While CIOs expressed confidence, 69 percent of C-suite participants indicated that cybersecurity plans fail to adequately incorporate cross-C-suite collaboration. At the role-specific level, almost three-fourths of CEOs, CHROs, CMOs and CFOs indicate they do not believe the cybersecurity plans include them in a cross-functional approach.”

Recommendations for the CIO or CISO

While suggestions from the report included items that CIOs and CISOs are unlikely to have the ability to change if the organization’s leadership is not already on board, the following recommendations are fully within their sphere of influence:

  • Establish a security governance model and program to encourage enterprisewide collaboration.
  • Craft foundational materials for executive-level education.
  • Include the C-suite in developing an incident response plan and share it with the board for input.
  • Enforce security standards across both IT infrastructure and business processes.

Instead of assuming that their approach to creating the next cybersecurity plan is collaborative and inclusive of stakeholders across the organization, CIOs and CISOs should explicitly ask for feedback from the rest of the C-suite. Cybersecurity has to be a team sport where the goal is to help executives come up with sensible security strategies for the organization in support of its business objectives.

CIOs and CISOs cannot be just technologists. They must become digital trust ambassadors — and, when need be, critics — to help steer the business in this era of rapid technological change, with all the opportunities and risks it presents.

For the full story, be sure to read Part 2 of this three-part series: “Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs.”

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…