Securing the C-Suite, Part 1: Lessons for Your CIO and CISO

A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite.

IT security risks were consistently rated as a top concern regardless of roles. While “two-thirds of the C-suite views cybersecurity as a top concern that must be addressed,” the report also cautioned that “they are not clear about which elements of security present the greatest risk.” This finding might be better explained when one considers the disconnects highlighted by the study.

Well-Established Plans?

While the report found that 65 percent of C-suite respondents claim to be confident that their organization’s cybersecurity plans are well-established, not everyone in the C-suite shares the same perspective. On the IT and risk side, 77 percent of chief risk officers (CROs) and 76 percent of CIOs think of the organization’s cybersecurity plans as well-established.

However, this high confidence is not shared by the rest of the C-suite. Among CEOs, only 51 percent shared this view, the lowest level of confidence reported by all CXOs. The level of confidence rises only slightly throughout the rest of the boardroom, with 55 percent of chief financial officers (CFOs), 59 percent of chief marketing officers (CMOs) and 61 percent of chief human resource officers (CHROs) believing that the organization’s cybersecurity plans are well-established.

C-Suite View of Whether Cybersecurity Plans Are Well Established

Source: IBM Institute for Business Value

The report warned that this disconnect “is significant because these three executives [CMOs, CFOs, CHROs] are ultimately the stewards of customer, financial and employee data — information highly coveted by cybercriminals.” Failure to appropriately engage all the stakeholders in the organization “has the potential to miss areas in business process, information management and third-party solutions” such as a department signing on to a cloud-based service without IT’s knowledge.

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

A Collaborative Approach

The report found a similar disconnect when CXOs were asked to rate the degree of C-suite engagement regarding cybersecurity threat management activities.

“Compared to the CEO, finance, marketing and human resources executives, the CIO is nearly twice as confident that cybersecurity plans encompass a cross-C-suite approach and collaboration,” the report stated.

“While CIOs expressed confidence, 69 percent of C-suite participants indicated that cybersecurity plans fail to adequately incorporate cross-C-suite collaboration. At the role-specific level, almost three-fourths of CEOs, CHROs, CMOs and CFOs indicate they do not believe the cybersecurity plans include them in a cross-functional approach.”

Recommendations for the CIO or CISO

While suggestions from the report included items that CIOs and CISOs are unlikely to have the ability to change if the organization’s leadership is not already on board, the following recommendations are fully within their sphere of influence:

  • Establish a security governance model and program to encourage enterprisewide collaboration.
  • Craft foundational materials for executive-level education.
  • Include the C-suite in developing an incident response plan and share it with the board for input.
  • Enforce security standards across both IT infrastructure and business processes.

Instead of assuming that their approach to creating the next cybersecurity plan is collaborative and inclusive of stakeholders across the organization, CIOs and CISOs should explicitly ask for feedback from the rest of the C-suite. Cybersecurity has to be a team sport where the goal is to help executives come up with sensible security strategies for the organization in support of its business objectives.

CIOs and CISOs cannot be just technologists. They must become digital trust ambassadors — and, when need be, critics — to help steer the business in this era of rapid technological change, with all the opportunities and risks it presents.

For the full story, be sure to read Part 2 of this three-part series: “Securing the C-Suite, Part 2: The Role of CFOs, CMOs and CHROs.”

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.