This is the second post in a three-part series. Be sure to read Part 1 for the full story.

An Overview

A 2013 IBM report titled “Exploring the Inner Circle: Insights From the Global C-Suite Study” found that the top-performing organizations all had one quality that set them apart from their peers: collaboration. Top leadership’s view is that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.”

So how closely are CXOs collaborating? “The Customer-Activated Enterprise” study in 2013 asked each CXO which two colleagues they worked most closely with. While the CIO’s connection to the CFO is strong, the CIO-CMO and CIO-CHRO connections are evidently thin.

Source: IBM Institute for Business Value

Fast-forward to 2016: Three years after that global study, the level of collaboration within the C-suite does not appear to have changed much. In light of the rising importance of cybersecurity engagement within the C-suite, this is a worrisome finding.

The 2016 “Securing the C-Suite” report found that “the CFO, CHRO and CMO feel the least engaged in cybersecurity threat management activities, yet are the stewards of data most coveted by cybercriminals.”

The bleak findings continued, with almost three-fourths of CHROs, CMOs and CFOs indicating “they do not believe the cybersecurity plans include them in a cross-functional approach.” When CXOs were asked about their level of engagement in cybersecurity preparations, CFOs reported the lowest level of engagement at 38 percent, followed next by CHROs at 41 percent and CMOs at 43 percent.

Chief Human Resource Officer (CHRO)

While organizations are increasing their adoption of information technology, the human side of the equation should remain a constant focus in the organization’s overall cyber risk management. The CHRO installment of the study recommended that the CHRO work closely with the CIO “to design a clear device management policy.”

Chief Marketing Officer (CMO)

The CMO installment found that “where the CMO and CIO work well together, the enterprise is 76 percent more likely to outperform in terms of revenues and profitability.”

The report also recommended the CMO to “work with the CIO to build a secure and scalable cognitive analytics capability within your organization.”

Chief Financial Officer (CFO)

A 2016 Harvey Nash cybersecurity survey found that 49 percent of cybersecurity professionals surveyed reported that CFOs had “major knowledge gaps” when it comes to cybersecurity. An article by Craig Calle put the CFO’s requirements thusly: “CFOs need to step up and recognize their fiduciary duty to treat data as one of their company’s most important assets and sponsor initiatives to protect and monetize them.”

Without close collaboration from the CIO and the CISO, this task would be nearly impossible. Cybersecurity requires a symbiotic relationship between the CFO and security leaders.

Recommendations for the C-Suite


CHROs must engage with the CIO/CISO — not just to tackle the issues around employee-owned technology such as BYOD, but also to address the need for effective, constant security awareness and anti-social engineering efforts. Technology alone cannot solve the security issue; it requires a human touch.

The 2016 “Securing the C-Suite” report commented that “as the stewards of sensitive employee personal information, which is highly coveted by hackers, CHROs should be at the forefront of their organizations’ cybersecurity efforts.”

Recommendations targeted at the HR function include protecting employees’ personal information, enforcing cybersecurity training and establishing clear job roles for all hires.


CMOs, as consumers of increasing quantities of information including big data and the dreamy business promises of data analytics, should keep the CIO/CISO in the loop. They are allies not just from a technological enablement perspective, but also for support.

While it may be tempting to retain old customer behavior data, the concept of toxic data is something to seriously discuss with your CISO/CIO. Bruce Schneier cautioned against the thought that “because the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever.” He warned that “what all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous.”


The CFO should work collaboratively with the CIO/CISO to “incorporate the security assessment into the enterprise risk plan as appropriate” and to “establish a security governance model and program to encourage enterprisewide collaboration.”

Be sure to check back next week for the final installment of this three-part series, “Securing the C-Suite, Part 3: All Eyes on the CEO.”

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…