It’s clear by now that IT executives take cybersecurity threats seriously, at least in the abstract. The most recent SIM IT Trends Study, which surveys industry IT leaders, found that security is among the main issues keeping them up at night and is one of the biggest investments IT departments are making.
But given that security threats now exist far outside the IT department, it’s not enough for just IT leaders to take them seriously. Every department needs to be involved in the discussion, and that involvement should start within the C-suite.
While IT executives might have a firm grasp of current threats against their organizations, not all their non-IT colleagues share that same knowledge. This is according to a recent IBM study titled “Securing the C-suite.” Researchers from IBM’s Institute for Business Value surveyed 700 C-suite executives from 28 countries across 18 industries to assess non-IT executives’ understanding of the security threats facing them and their preparedness for said threats.
IBM executive security advisor Diana Kelley co-authored the report. She got her start in cybersecurity more than two decades ago when working as a network administrator for a Cambridge startup. “They were doing updates over the internet, and then some creeps broke into my network,” she recalled. “So I went overnight from being a network admin to a security admin.” Four years ago she joined IBM’s 7,000-person security team to advise IBM customers on best practices and threats. “Whenever a CIO is thinking about buying an IBM product and wants to talk to someone with my expertise, as a peer, I come in and have a conversation with them.”
As part of this role, Kelley also works with internal teams to conduct and publish industry research and then presents the research at conferences. She explained that IBM conducted the “Securing the C-suite” study to help CIOs and CISOs communicate to the rest of the C-suite the importance of system-wide security collaboration. “We wanted to help the non-security C members to understand what’s really happening,” she said. ‘We can also help the CISO to understand how to talk to the C-suite, because if they see where the perceptions and disconnects are, this can make us all potentially stronger.”
[LIKE THIS ARTICLE SO FAR? GET THE LATEST IT LEADERSHIP NEWS BY SIGNING UP FOR OUR NEWSLETTER OVER HERE]
So where are the disconnects? What are some of the signs that your organization isn’t truly prepared for realistic security threats? The report identified several and Kelley will present them at an August 16 panel hosted by the Society for Information Management’s Cybersecurity SIG. Read on to learn some of the most significant signs your company isn’t prepared for a cybersecurity threat.
You’ve misidentified the actual threats
If your C-suite doesn’t know where threats originate, then it won’t allocate the appropriate resources to address them. For instance, 70 percent of executives surveyed ranked “rogue actors” as their gravest risk. “We sometimes jokingly refer to them around here as ‘the hacker in a hoodie,’ like someone out of the show Mr. Robot,” said Kelley. “It’s the idea of this rogue guy in a dark room doing terrible things. The reality is that cybercrime is a huge business, and 80 percent of the threats are coming out of very organized groups.” Why does this misperception matter? Because executives underestimate the time and resources of those trying to hack them. “They think they’ve got an adversary who’s working essentially alone and probably doesn’t have a lot of funding. But your real adversary is incredibly well-funded.”
You don’t have a CISO
The chief information security officer is still a relatively new role, and most companies still haven’t hired for it. And if a company doesn’t have a CISO, it’s less likely to have implemented a comprehensive cybersecurity program that engages every department. “To us who work in security it just seems so obvious,” said Kelley. “But to have objective, quantifiable data actually bear that out was really quite powerful. So now we can say hiring a CISO is worth it and there’s data to back it up, not just our opinions.”
Not every C-suite member is involved
The survey found that not every member of the C-suite was likely to be closely involved with the cybersecurity planning, especially those who oversee financial, customer, and employee data. “The three key executives who are responsible for the data most coveted by cybercriminals — CFO, CMO, CHRO — are the least engaged,” said Kelley. “So why are they not more involved? The more involved a group is in the conversation, the more cyber secure they are.”
You’re not willing to share information
About two-thirds (68 percent) of CEOs surveyed said they were reluctant to share information with other companies about cybersecurity threats they’ve faced. “However, greater external collaboration among organizations can speed the development of collective knowledge and insights on threat actors and their strategies,” wrote the study’s authors. “Leadership needs to address the aversion to responsible with appropriately vetted external parties, creating the opportunity to leverage analytics and apply increasingly sophisticated cognitive capabilities to strengthen and automate security solutions and help to mitigate risks.”
If there’s a consistent theme among these findings, it’s that secure companies are better at conducting open dialogues about cybersecurity, both internally and externally. “It’s really about bringing everybody together,” said Kelley. “Understand that all sides have something to share and contribute to the conversation. The more information we share with the good guys, the defenders, the more we’ll be able to educate and put in compensating controls more quickly.”