Our colleagues in security have been increasingly (and rightly) raising the alert that security threats are not only the domain of IT, but an enterprisewide concern that necessitates a team approach across the executive suite. As such, the C-suite and its functional teams need more education, understanding and engagement in order have an appropriate, risk-aware posture that helps protect company assets, reputation and the broader business ecosystem (customers, partners, vendors).

The CISO and CIO can only do so much. Frequently, the business engages in a variety of activities to promote company strategy, growth initiatives, capture new markets, develop and roll out new products and penetrate new markets. Increasingly, this involves partnering externally with vendors, contractors, regulatory agencies and more — part of which is sharing business processes, intellectual property and data.

Read the complete report on securing the C-suite

IT and security are usually not involved, but the degree to which the business side of operations incorporates secure practices into everyday activities is becoming more important in light of exponentially increasing cyber risks.

To get a deeper view into the specifics of the C-suite’s concerns and perspectives on cybersecurity, IBM conducted a survey of more than 700 C-suite executives from 28 countries across 18 industries. Participants spanned traditional C-suite roles, compliance officers and legal counsel. This report, “Cybersecurity Perspectives From the Boardroom and C-Suite,” provides insights into the executives’ assessments of risks and challenges, as well as how these assessments align with actual threats.

Cybersecurity Is Important, But It’s Not Always Clear Who the Enemy Is

Two-thirds of respondents view cybersecurity as a top concern that must be addressed. However, they are not clear about which elements of security present the greatest risk.

For example, 54 percent of those surveyed acknowledge risks from organized crime groups. However, many tend to overemphasize the risks from opportunistic rogue actors and discount the dangers from other sources such as industry spies, domestic and foreign governments and inside personnel within the business ecosystem. Understanding the enemy helps optimize risk management and investment in security solutions.

Collaboration Is Essential to Level the Playing Field

It’s generally acknowledged in the security domain that collaborative sharing of incident information is a powerful weapon to combat the bad guys. In fact, the most successful cybercriminals are known to collaborate by sharing information on the Dark Web, the seedier side of the Internet where those with ill intent can interact anonymously.

The good guys, however, are more reticent to collaborate. Over two-thirds of CEOs in our study said they are reluctant to share their organizations’ cybersecurity incident information externally.

Equally concerning is the fact that internal, cross-functional collaboration is weak, particularly among the three specific C-suite roles — chief human resources officer (CHRO), chief marketing officer (CMO) and chief financial officer (CFO) — that have stewardship of the most coveted data sought by cybercriminals (employee, customer and financial information, respectively). These three executives are also the least confident that their organization’s cybersecurity plans are well-thought-out and well-executed.

Organizations Can Benefit From the Lessons of Those Who Have Prepared Well

C-suite participants who indicated they believe their organizations are more secure revealed that they have done more to implement a comprehensive cybersecurity program to detect breaches, prevent incidents and remediate risks. The evidence of that greater preparation is revealed in some things they are more likely to have implemented.

For instance, these C-suite participants indicate they have established an information security office, appointed a chief information security officer (CISO) and implemented a cross-functional governance model that engages the organization from the boardroom to management to employees. Key executives responsible for data most coveted by cybercriminals are more engaged in threat management activities. It’s also likely the CEO of those organizations is more open to collaboration and external sharing of incident intelligence.

C-Suite Considerations

Organizations ready to increase cybersecurity capabilities can look to emulate the cybersecurity elite. First, clarify which actors present the greatest risks and assess the organizational commitment to risk aversion.

Next, improve awareness and drive a more risk-aware culture across the entire organization. Institute a structure for cybersecurity governance, continuous monitoring, incident reporting and response preparation.

Lastly, use collaboration, both internally and externally, to manage threats and secure the organization’s most valuable digital assets. Enforce security standards across both the IT infrastructure and business processes.

Download the full Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…