Cybersecurity perspectives from the boardroom and C-suite

Cybersecurity issues are no longer limited to the IT department; instead, they threaten every aspect of the organization and pose a significant threat to ongoing business continuity and reputation. These issues extend well beyond the technical environment and reach across the entire business ecosystem. Cybersecurity solutions must encompass not only technical fixes, but also changes in business processes, controls, management and employee behavior.

To get a deeper view into the specifics of the C-suite’s concerns and perspectives on cybersecurity, IBM, in conjunction with the Economist Intelligence Unit, surveyed more than 700 C-suite executives from 28 countries, across 18 industries. Participants spanned traditional C-suite roles, compliance officers and legal counsel. This report will provide insights into the executives’ assessments of risks and challenges, as well as how these assessments align with actual threats.

Cybersecurity is important, but it’s not always clear who the enemy is

Two-thirds of the C-suite views cybersecurity as a top concern that must be addressed. However, they are not clear about which elements of security present the greatest risk. Fifty-four percent of those surveyed acknowledge risks from organized crime groups. However, many tend to over-emphasize the risks from opportunistic “rogue” actors and discount the dangers from other sources, such as industry spies, national and foreign governments and personnel within the business ecosystem (employees, vendors, partners). Understanding the enemy helps optimize risk management and investment in security solutions.

Collaboration is essential to level the playing field

It’s generally acknowledged in the security domain that collaborative sharing of incident information is a powerful weapon to combat the bad guys. In fact, the most successful cyber-criminals are known to collaborate by sharing information on the “dark web,” the seedier side of the Internet in which those with ill intent can interact anonymously.

The “good guys,” however, are more reticent to collaborate. Over two-thirds of CEOs in our study said they are reluctant to share their organizations’ cybersecurity incident information externally. Equally concerning, internal, cross-functional collaboration is weak, particularly among the three specific C-suite roles –Chief Human Resources Officer (CHRO), Chief Marketing Officer (CMO) and Chief Financial Officer (CFO)– that have stewardship for the most coveted data sought by hackers (employee, customer and financial information, respectively). These three executives are also the least confident their organization’s cybersecurity plans are well thought out and executed.

Organizations can benefit from the lessons of those who have prepared well

Cybersecured organizations have implemented a comprehensive cybersecurity program to detect breaches, prevent incidents and remediate risks. Most telling, these companies have established an Information Security Office, appointed a Chief Information Security Officer (CISO) and have implemented a cross-functional governance model that engages the organization from the boardroom, to management, to employees. They are also more open to collaboration and external sharing of incident intelligence.

C-suite considerations

Organizations ready to increase cybersecurity capabilities can look to emulate the cybersecure elite. First, clarify which actors present the greatest risks and assess the organizational commitment to risk aversion. Next, improve awareness and drive a more risk-aware culture across the entire organization. Institute regimens for cybersecurity governance, continuous monitoring, incident reporting and response preparation. Last, use collaboration both internally and externally to manage threats and secure the organization’s most valuable digital assets. Enforce security standards across both the IT infrastructure and business processes