February 17, 2016 By Carl Nordman
Diana Kelley
3 min read

Our colleagues in security have been increasingly (and rightly) raising the alert that security threats are not only the domain of IT, but an enterprisewide concern that necessitates a team approach across the executive suite. As such, the C-suite and its functional teams need more education, understanding and engagement in order have an appropriate, risk-aware posture that helps protect company assets, reputation and the broader business ecosystem (customers, partners, vendors).

The CISO and CIO can only do so much. Frequently, the business engages in a variety of activities to promote company strategy, growth initiatives, capture new markets, develop and roll out new products and penetrate new markets. Increasingly, this involves partnering externally with vendors, contractors, regulatory agencies and more — part of which is sharing business processes, intellectual property and data.

Read the complete report on securing the C-suite

IT and security are usually not involved, but the degree to which the business side of operations incorporates secure practices into everyday activities is becoming more important in light of exponentially increasing cyber risks.

To get a deeper view into the specifics of the C-suite’s concerns and perspectives on cybersecurity, IBM conducted a survey of more than 700 C-suite executives from 28 countries across 18 industries. Participants spanned traditional C-suite roles, compliance officers and legal counsel. This report, “Cybersecurity Perspectives From the Boardroom and C-Suite,” provides insights into the executives’ assessments of risks and challenges, as well as how these assessments align with actual threats.

Cybersecurity Is Important, But It’s Not Always Clear Who the Enemy Is

Two-thirds of respondents view cybersecurity as a top concern that must be addressed. However, they are not clear about which elements of security present the greatest risk.

For example, 54 percent of those surveyed acknowledge risks from organized crime groups. However, many tend to overemphasize the risks from opportunistic rogue actors and discount the dangers from other sources such as industry spies, domestic and foreign governments and inside personnel within the business ecosystem. Understanding the enemy helps optimize risk management and investment in security solutions.

Collaboration Is Essential to Level the Playing Field

It’s generally acknowledged in the security domain that collaborative sharing of incident information is a powerful weapon to combat the bad guys. In fact, the most successful cybercriminals are known to collaborate by sharing information on the Dark Web, the seedier side of the Internet where those with ill intent can interact anonymously.

The good guys, however, are more reticent to collaborate. Over two-thirds of CEOs in our study said they are reluctant to share their organizations’ cybersecurity incident information externally.

Equally concerning is the fact that internal, cross-functional collaboration is weak, particularly among the three specific C-suite roles — chief human resources officer (CHRO), chief marketing officer (CMO) and chief financial officer (CFO) — that have stewardship of the most coveted data sought by cybercriminals (employee, customer and financial information, respectively). These three executives are also the least confident that their organization’s cybersecurity plans are well-thought-out and well-executed.

Organizations Can Benefit From the Lessons of Those Who Have Prepared Well

C-suite participants who indicated they believe their organizations are more secure revealed that they have done more to implement a comprehensive cybersecurity program to detect breaches, prevent incidents and remediate risks. The evidence of that greater preparation is revealed in some things they are more likely to have implemented.

For instance, these C-suite participants indicate they have established an information security office, appointed a chief information security officer (CISO) and implemented a cross-functional governance model that engages the organization from the boardroom to management to employees. Key executives responsible for data most coveted by cybercriminals are more engaged in threat management activities. It’s also likely the CEO of those organizations is more open to collaboration and external sharing of incident intelligence.

C-Suite Considerations

Organizations ready to increase cybersecurity capabilities can look to emulate the cybersecurity elite. First, clarify which actors present the greatest risks and assess the organizational commitment to risk aversion.

Next, improve awareness and drive a more risk-aware culture across the entire organization. Institute a structure for cybersecurity governance, continuous monitoring, incident reporting and response preparation.

Lastly, use collaboration, both internally and externally, to manage threats and secure the organization’s most valuable digital assets. Enforce security standards across both the IT infrastructure and business processes.

Download the full Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today