This is the final installment in our three-part series on securing the C-suite. Be sure to read Part 1 and Part 2 for more information.
Chief executive officers (CEOs) are under intense pressure from all sides. From an economic perspective, areas that were once the domain of a few favored organizations are now ripe for disruption by newcomers. Indeed, according to IBM’s “Redefining Competition: Insights From the Global C-suite Study – The CEO Perspective,” CEOs believe technology is the chief external influence on their enterprises. More specifically, cybersecurity issues have crashed into the C-suite and the boardroom, and top leadership is under the spotlight when it comes to achieving an acceptable cyber posture.
Getting the CEO Involved in Security
A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provided valuable insights for CEOs about the dynamics within the C-Suite and their impact on cybersecurity.
Chief among the findings of the report is the disconnect between the technological leaders (CIO, CISO and/or CRO) and the rest of the C-suite. CMOs, CFOs, CHROs and even CEOs are reported to be the least engaged when it comes to cybersecurity threat management activities. These executives often feel as though cybersecurity preparations didn’t include them in a functional approach, according to the report. CEOs were the most skeptical of all CXOs when asked whether the cybersecurity strategy of their enterprise was “well-established.”
While it could be tempting for the CEO to ignore these warning signs and relegate them to the concerned parties to fix (i.e., the CIO/CISO/CRO on one side and the rest of the C-suite on the other), doing so would signal to the rest of the C-suite that cybersecurity isn’t much of a concern. As to the wisdom of such a stance, the number of CEOs that have lost their jobs — or quit voluntarily — after a major data breach speaks for itself.
CEOs cannot afford to be complacent about security, and that means everyone in the C-suite has a role to play. If there’s a disconnect, the CEO must send a clear signal that all parties are to work out their differences — or in some cases their indifference — to own up to their responsibilities and help lead the organization toward a healthier cybersecurity posture.
Collaborating for Success
In its “Exploring the Inner Circle: Insights From the Global C-Suite Study” report, IBM found that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.”
An accompanying report shed light on three specific sets of collaborations within the C-suite that resulted in top-performing organizations: the CEO-CIO-CMO relationship, the CEO-CFO-CMO relationship and the CEO-CFO-CHRO relationship.
Beyond those relationship triangles, the selection of the CISO and placement of this role within the organization is also going to have a significant impact on the nature of the conversations around cybersecurity.
How should CEOs proceed forward to tackle cybersecurity? The “Securing the C-Suite” report provided key recommendations, including striving to “make cybersecurity an intrinsic part of business processes and decisions.” Building security into the organization and then having the CEO remain involved is critical to a business’s long-term success.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato