As a menacing threat to almost every organization, cybersecurity risks do not discriminate against any particular organization or industry or geographic region. Every aspect of a company is susceptible to a cybersecurity breach and it is no longer only the IT department’s job to manage these threats and identify appropriate solutions. To understand how the C-suite executives perceive cybersecurity and articulate their concerns, IBM Institute for Business Value conducted a survey of over 700 executives across 18 different industries in 28 different countries. Securing the C-Suite: Cybersecurity perspectives from the boardroom and C-suite, authored by Diana Kelley and Carl Nordman, seeks to provide key insights from executives and align risk assessments with a strategic plan.
The Perception of Cybersecurity
The executives surveyed held roles across all functional areas of the organization: Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Marketing Officer (CMO), Chief Human Resources Officer (CHRO), Chief Risk Officer (CRO), and the Chief Information Officer (CIO). Surveying executives in each of the functional areas served to highlight key differences of opinions in discussing cybersecurity issues.
One notable difference finds that CIOs, when compared to the CEOs, CFOs, and CMOs, are nearly twice as confident that their cybersecurity plans encompass a cross C-suite approach. This difference stems from the fact that the CIO is concerned with the technical aspects of cyberrisk, while marketing, human resources and finance are concerned with cybersecurity risks that can branch from customer and vendor networks, or what the authors call “the business ecosystem.” The non-CIO executives believe that there is a possibility of breach through cyber interaction with employees, partners and vendors. Moreover, CROs are confident that cybersecurity risks have been incorporated into their enterprise risk management frameworks. However, often this does not mean that there is meaningful protection and safeguards against these risks. The plans should be assessed and addressed as necessary for proactive and reactive responses by all C-suite executives.
Another difference finds that almost 60% of the executives do not feel included in the conversation about cybersecurity. Considering 95% of C-suite officers view cybersecurity as a significant threat, it is alarming that there is very little cross-functional communication about how to implement strategic plans to deal with future issues.
Executives are well aware of the potential effects of a cybersecurity breach: financial losses, reputational damage, national security concerns. When prompted with a question about the probability of a significant cybersecurity incident occurring, 80% of executives believe there is a less than 50% chance of a breach occurring within the next few years.
The Importance of Collaboration
As learned in the aftermath of prior business failures, communication is a major key to prevention of many issues. In order to become more prepared, organizations should study the various intrusion methods and practices. When this information is effectively shared throughout the organization, there can be a collective effort to form solutions and plans in the event of a cybersecurity threat.
Perhaps the most effective communication would be between different organizations. Sharing ideas and information can “level the playing field” so that the respective organizations can be more prepared. In fact, over 50% of executives believe that cross-border information sharing is necessary to combat cybercrime. However, less than a third of these executives are actually willing to share information externally. This aversion to sharing cybersecurity incidents with the business ecosystem prevents solutions and plans from being developed. The collective knowledge that these organizations have could help them remain a few steps ahead of the hackers and other malicious intruders.
Amongst the C-suite, communication could also be improved. 71% of those surveyed noted that their organization has a Office of Security and a Chief Information Security Officer (CISO), which is designed to be a strategic role that will help develop and drive an enterprise approach to security. However, when the other executives were asked about the CISO’s role, they noted it was more of an operational role than a strategic role. It is important that the role of the CISO is communicated appropriately in order to prove to the other executives that cybersecurity is a threat that impacts all facets of the organization and not just the IT department. Improving the perception of the CISO’s role will help to achieve an enterprise-wide assessment of this risk.
Achieving a Cybersecure Organization
Among those surveyed, 65% of C-suite officers believe their cybersecurity plans are well established. However, only 17% meet the criteria of the highest level of preparedness and capability. In order to become a cybersecure organization, a company should take the following steps:
- Understand the Risk: Assess the business ecosystem for potential threats and conduct assessments. Develop the organization’s knowledge about cybersecurity and train the employees accordingly to integrate the plan as an enterprise wide approach.
- Collaborate, Educate, and Empower: Communicate the CISO’s role, establish a governance program, and regularly discuss cybersecurity with all of the executives. Ensure that the executives are continually included in the incident response plan.
- Manage Risk with Vigilance and Speed: Maintain a monitoring system and leverage information about threat intelligence to secure the environment. Understand where the most prized digital assets reside and develop prevention techniques to protect those assets. Develop organization-wide cybersecurity polities.
With the increased presence of technology in our daily lives, cybersecurity risks are not to be ignored. Organizations understand that cybersecurity risks are omnipresent and the impact of many threats is almost incalculable. However, there are effective ways to minimize the damage of such an attack. Communication amongst the C-suite and board is key; without a common understanding of what is being done to mitigate the potential effects, there will be difficulty in determining how to pick up the pieces if an actual attack does occur. Changing the organization into one that is more cybersecure will decrease the probability of a crippling attack. The C-suite as a whole, not just the CIO, needs to collaborate internally and externally to gather information to protect digital assets and develop a cybersecurity plan that will best protect the organization.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.