Many leaders across the C-suite are confused about who the true cybersecurity adversary is and how to effectively combat them, opening the door for channel partners to influence, inform and educate.
The new IBM study of over 700 C-level executives across the world - Securing the C-Suite, Cybersecurity Perspectives from the Boardroom and C-Suite - claims CxOs from 28 countries, across 18 industries struggle to understand the rise of cybercrime, and its subsequent impact on the enterprise.
Excluding the CISO to get a true picture of what everyone else in C-Suite thinks about cybersecurity, the study found key executives need to be more engaged with CISOs beyond planning for security, and take more active role.
On paper, cybersecurity is viewed as a top concern of 68 percent of CxOs1 while 75 percent believe a comprehensive security plan is important, yet findings suggest this rarely translates in reality.
“The world of cybercrime is evolving rapidly but many C-Suite executives have not updated their understanding of the threats,” says Caleb Barlow, Vice President, IBM Security.
“While CISOs and the Board can help provide the appropriate guidance and tools, CxOs in Marketing, Human Resources, and Finance, some of the most sensitive and data-heavy departments, should be more proactively involved in security decisions with the CISO.”
A major finding of the study was that 70 percent of CxOs think rogue individuals make up the largest threat to their organisations.
Yet as Barlow explains, the reality is that 80 percent of cyberattacks are driven by highly organised crime rings in which data, tools and expertise are widely shared according to a United Nations report.
The study found that a broad set of adversaries concerned the C-Suite including 54 percent who acknowledged crime rings were a concern, but they gave nearly equal weight of concern to competitors at 50 percent.
“Over 50 percent of CEOs agree collaboration is necessary to combat cybercrime,” Barlow adds.
“Ironically, only one-third of CEOs expressed willingness to share their organisation’s cybersecurity incident information externally.”
For Barlow, this exposes a resistance to widespread and coordinated industry collaboration, while hacking groups continue to perfect their ability to share information in near real-time on the Dark Web.
CEOs also emphasise that external parties need to do more; stronger government oversight, increased industry collaboration and cross-border information sharing - a dichotomy that Barlow believes needs to be resolved.
In fact, Marketing, Human Resources, and Finance departments represent prime targets for cybercriminals as they manage some of the most sensitive customer and employee data, manage corporate financials and have access to banking details.
In the study, roughly 60 percent of CFOs, CHROs, and CMOs readily acknowledge they, and by extension their divisions, are not actively engaged in cybersecurity strategy and execution.
For example, only 57 percent of CHRO’s report they have rolled out employee training that addresses cybersecurity, a first step in getting employees engaged on cybersecurity.
An overwhelming number of the CxOs surveyed, 94 percent, believe there is some probability that their company will experience a significant cybersecurity incident in the next two years.
According to IBM’s analysis, 17 percent of the respondents feel prepared and capable to respond to these threats, classified as ‘Cyber-Secure’ and the most prepared and capable CxOs.
As such, ‘Cyber Secure’ leaders are two times more likely to have incorporated C-Suite collaboration into the cybersecurity program and two times more likely to have elevated cybersecurity to a regular agenda item at the Board level.
Representing an opportunity for local channel partners to add strategic high-level value, IBM advises companies to “understand the risk, collaborate educate and empower, while managing risk with vigilance and speed”.
“Evaluate your ecosystem for risks, conduct security risk assessments, develop education and training for employees and incorporate security into the enterprise risk plan,” Barlow advises.
“And establish a security governance program that empowers the CISO, elevates and regularly discusses cybersecurity at C-Suite meetings and includes the C-suite in developing an incident response plan.
“Also, implement continuous security monitoring, leverage incident forensics, share and utilise threat intelligence to secure the environment, understand where the organisation’s digital assets reside and develop mitigation plans accordingly, develop and enforce cybersecurity policies.”