The past few years have seen IT chiefs take on more and more duties towards achieving cyber resilience for their organizations. Little do their higher-ups know that different ranks across the company must now shoulder those responsibilities to accomplish this mission. And if recent studies are any indication, CIOs and CISOs still have a ways to go to persuade their peers to make cybersecurity a key part of the business program.
IT leaders agree that cybersecurity needs to be a board-room topic and, according to at least some studies, cybercrime is indeed on the agenda of many senior executives across different industries. However, saying is not the same as doing, as one Accenture report reveals.
73 percent of C-level executives agree that cybersecurity staff and activities need to be dispersed throughout all parts of the organization, the consulting company found in a poll of 1,400 execs. However, the survey reveals, cybersecurity remains centralized in 74 percent of companies.
“There is little indication that C-suite executives expect to shift more responsibility for cybersecurity to business units. For example, 25 percent of non-CISO executives say business unit leaders are accountable for cybersecurity today and a similar number believe business unit leaders should be responsible in the future,” the report reads.
Nearly half of CISOs polled acknowledged that their responsibilities for securing the organization are growing faster than their ability to address security issues.
“There is no doubt that organizations are taking cybersecurity more seriously, however, there is still much work to be done. Cybersecurity strategy needs to be led by the board, executed by the C-Suite and owned at the front lines of the organization. Further, it must be infused across all aspects of a company’s processes and systems, and built into the daily work activities of employees,” said Omar Abbosh, Accenture’s chief strategy officer. “To be able to grow safely, companies can establish sustained cyber resilience through a continual, proactive focus on cyber risk management at all levels.”
Other findings are equally disconcerting. The cybersecurity strategies are not aligned with emerging areas of concern, C-suite executives say. Only half of organizations conduct cybersecurity training with new hires, just as many as those that have regular awareness training with all staff. Only 40 percent of CISOs said establishing or expanding an insider threat program is a high priority, while another 40 percent confer with business-unit leaders to understand the business before proposing a security plan.
Many C-suite executives believe adopting new technology isn’t always seen as a good idea. For example, 77 percent of respondents said IoT products will increase cyber risk moderately or significantly. Only 44 percent said cloud technology is protected by their cybersecurity strategy, while 74 percent believe cloud services will increase cyber risk.
Finally, sharing data with partners and third parties is also regarded as an area of high risk. Only 39 percent of CISOs said the data exchanged is adequately protected by their cybersecurity strategy.
A similar study by KPMG shows the role of Chief Information Officers (CIOs) has grown more strategic as cloud migration and data security are becoming industry standards.