The View From the Top: C-Suite Insights on Cybersecurity
Our colleagues in security have been increasingly (and rightly) raising the alert that security threats are not only the domain of IT, but an enterprisewide concern that necessitates a team approach across the executive suite. As such, the C-suite and its functional teams need more education, understanding and engagement in order have an appropriate, risk-aware posture that helps protect company assets, reputation and the broader business ecosystem (customers, partners, vendors).
The CISO and CIO can only do so much. Frequently, the business engages in a variety of activities to promote company strategy, growth initiatives, capture new markets, develop and roll out new products and penetrate new markets. Increasingly, this involves partnering externally with vendors, contractors, regulatory agencies and more — part of which is sharing business processes, intellectual property and data.
IT and security are usually not involved, but the degree to which the business side of operations incorporates secure practices into everyday activities is becoming more important in light of exponentially increasing cyber risks.
To get a deeper view into the specifics of the C-suite’s concerns and perspectives on cybersecurity, IBM conducted a survey of more than 700 C-suite executives from 28 countries across 18 industries. Participants spanned traditional C-suite roles, compliance officers and legal counsel. This report, “Cybersecurity Perspectives From the Boardroom and C-Suite,” provides insights into the executives’ assessments of risks and challenges, as well as how these assessments align with actual threats.
Cybersecurity Is Important, But It’s Not Always Clear Who the Enemy Is
Two-thirds of respondents view cybersecurity as a top concern that must be addressed. However, they are not clear about which elements of security present the greatest risk.
For example, 54 percent of those surveyed acknowledge risks from organized crime groups. However, many tend to overemphasize the risks from opportunistic rogue actors and discount the dangers from other sources such as industry spies, domestic and foreign governments and inside personnel within the business ecosystem. Understanding the enemy helps optimize risk management and investment in security solutions.
Collaboration Is Essential to Level the Playing Field
It’s generally acknowledged in the security domain that collaborative sharing of incident information is a powerful weapon to combat the bad guys. In fact, the most successful cybercriminals are known to collaborate by sharing information on the Dark Web, the seedier side of the Internet where those with ill intent can interact anonymously.
The good guys, however, are more reticent to collaborate. Over two-thirds of CEOs in our study said they are reluctant to share their organizations’ cybersecurity incident information externally.
Equally concerning is the fact that internal, cross-functional collaboration is weak, particularly among the three specific C-suite roles — chief human resources officer (CHRO), chief marketing officer (CMO) and chief financial officer (CFO) — that have stewardship of the most coveted data sought by cybercriminals (employee, customer and financial information, respectively). These three executives are also the least confident that their organization’s cybersecurity plans are well-thought-out and well-executed.
Organizations Can Benefit From the Lessons of Those Who Have Prepared Well
C-suite participants who indicated they believe their organizations are more secure revealed that they have done more to implement a comprehensive cybersecurity program to detect breaches, prevent incidents and remediate risks. The evidence of that greater preparation is revealed in some things they are more likely to have implemented.
For instance, these C-suite participants indicate they have established an information security office, appointed a chief information security officer (CISO) and implemented a cross-functional governance model that engages the organization from the boardroom to management to employees. Key executives responsible for data most coveted by cybercriminals are more engaged in threat management activities. It’s also likely the CEO of those organizations is more open to collaboration and external sharing of incident intelligence.
Organizations ready to increase cybersecurity capabilities can look to emulate the cybersecurity elite. First, clarify which actors present the greatest risks and assess the organizational commitment to risk aversion.
Next, improve awareness and drive a more risk-aware culture across the entire organization. Institute a structure for cybersecurity governance, continuous monitoring, incident reporting and response preparation.
Lastly, use collaboration, both internally and externally, to manage threats and secure the organization’s most valuable digital assets. Enforce security standards across both the IT infrastructure and business processes.