To address the complexity of cybersecurity threats today, technology is only the beginning; changes in business processes, controls, management, and employee behavior are all key components of a complete cybersecurity defense. But with a reluctance to collaborate internally and externally, few companies seem to have all components in place.
IBM surveyed more than 700 C-suite executives from 28 countries across 18 industries in Securing the C-Suite and while the C-suite is aligned on recognizing the threat of cybersecurity incidents – 94 percent of CxOs believe it is likely their company will experience a “significant” cybersecurity incident in the next two years – there are issues with cross-functional collaboration, where Chief Human Resources Officers, Chief Marketing Officers and Chief Financial Officers are left out of the loop on their companies cybersecurity plans, despite handling the most sensitive data.
CEOs and the collaboration conundrum
While you may think that CEOs should be the most confident across the C-suite in their organizations approach to cybersecurity, only slightly more than half believe their company’s cybersecurity plans are well-established, much less confident than Chief Risk Officers (77 percent) and Chief Information Officers (76 percent), joining the CMO, CFO, and HR officers in the bottom half of the “confidence index.”
The lack of confidence could stem from feeling left out; almost three-fourths of CEOs, CHROs, CMOs and CFOs indicated they do not believe the cybersecurity plans include them in a cross-functional approach.
Greater external collaboration among organizations could speed the development of collective knowledge and insights on threat actors and their strategies, according to the report. But 68 percent of CEOs expressed an aversion to sharing incident information externally.
“Leadership needs to address the aversion to responsible sharing with appropriately vetted external parties, creating the opportunity to leverage analytics and apply increasingly sophisticated cognitive capabilities to strengthen and automate security solutions and help to mitigate risks,” IBM said.
What “cybersecured” organizations are doing that you’re not
According to IBM, 17 percent of respondents emerged as “cybersecured” – the most capable and prepared on cybersecurity at the C-suite level. In this group, the C-suite “engages in a more balanced and collaborative fashion.”
- Collaboration and engagement
Compared to unprepared organizations, cross-C-suite collaboration is built into the cybersecurity plans of cybersecured organizations. Sixty-one percent of cybersecured organizations indicate that cybersecurity is a regular topic in C-suite meetings, compared to just 31 percent for others.
Cybersecurity organizations are 2.5 times more likely to have appointed an office of information security and a CISO.
According to the report, “at the board level, CISOs are expected to give visibility to and quantify the risks to the organization. At the C-suite level, the CISO is tasked with formulating and executive a comprehensive cybersecurity framework to mitigate risk.”
- Board-level knowledge and participation
Cybersecurity is nearly two times more likely to be a regular agenda topic for the cybersecured (56 percent) than for other organizations (27 percent). According to the report, board members don’t have to be cybersecurity experts, but they should inform themselves regarding cybersecurity risks to the degree necessary to: request management describe and update the board on controls in place, monitor controls periodically, and request reporting on significant incidents quickly.