Several studies have emerged recently that say on the one hand that the leaderships of large businesses don’t really take cyber security all that seriously, or that the leaderships of large businesses are starting to take cyber security seriously.
The upshot seems to be: Cyber security, if it hasn’t been in the top list of major issues to be considered by C-suites and boards in the past, is now.
Chief information officers or their equivalents, in particular, have been identified as point persons not only in countering the threats, but in communicating cyber response urgency throughout their organizations.
It could hardly be anything else, given the repetitive blaring reports of one major cyber heist after another. As the headlines accumulate, they’ve no doubt been noticed by leaders of major businesses. Again, more and more often, CIOs are called on to sit as colleagues around the boardroom table.
Viewpoints and behavior often clash
Here’s a rundown of the various reports:
• The National Retail Federation, along with Forrester Research Inc., surveyed 84 retail leaders last year. They found that managing data security is the most urgent focus area for retail CIOs, with 97% placing it at the top of their 2015 priority lists.
“With the role of the CIO evolving further as a company’s strategic technology innovation leader, the complexity of the business challenges cannot be lost—from data security to new digital customer experiences,” says NRF Vice-President Tom Litchford.
• Raytheon, along with Ponemon Institute, surveyed 1,006 CIOs or their equivalents, both here and abroad: 78% of those surveyed said their board of directors has not been briefed on their organization’s cyber security strategy in the last 12 months. In addition, 66% of respondents believe senior leaders in their organization do not perceive cyber security as a strategic priority.
“High-profile cyber security breaches are closing the gap between [chief information security officers] and CEOs by forcing meaningful security discussions into corner offices and boardrooms,” says Larry Ponemon, chairman of Ponemon Institute. “In the meantime, our study found there is still a large delta between resources and needs, as security leaders lack both funding and manpower to adequately protect assets and infrastructure.”
• Lockheed Martin polled 678 U.S.-based senior IT practitioners in a variety of sectors, including financial services. Most of these noted an increase in the severity and frequency of cyber attacks, but feared they don’t have the budget (64%) or the expert personnel (65%) to address threats.
Other disturbing findings of Lockheed Martin’s poll:
• “We must be safe, right?” Respondents who said they did not feel they are presently being targeted for attack base this either on their intuition (35%) or logical deduction (33%)—rather than data or intelligence (32%).
• Enemies inside your walls. 36% said negligent insiders were the most significant network vulnerability, and 53% ranked malicious insiders in their top-four threats.
The top two factors impacting an organization’s cyber security posture—employee cyber awareness and supply chain security—receive only 45% and 15% of cyber security budgets, respectively.
• PwC US conducted two similar polls, one of public company directors and another of institutional investors, on a variety of subjects to gauge each group’s perception of current issues. It found that nearly three quarters of the institutional investors believe it is important for corporate directors to be discussing their company’s crisis response plan in the event of a major security breach.
However, only half of directors have had those discussions.
“Investors want directors to focus more on certain aspects of information technology than they currently are—including preparing for possible communications about security breaches,” the report concludes.
• Robert Half Technology, which focuses on the hiring and careers of CIOs, surveyed more than 2,400 CIOs from U.S. companies with 100 or more employees across the country on what steps, if any, they are taking or will take to protect sensitive company information.
It found that 85% were indeed were taking one or more steps: 54% are beefing up employee training on security issues; 45% are more closely vetting firms that have access to company data; and 45% are hiring more IT security professionals.
“CIOs are attacking the problem from all sides, but there is a strong emphasis on employee-driven measures. Vigilant IT teams and security-savvy individuals throughout the organization are a valuable and fundamental defense; without both, other courses of action will be less effective,” says John Reed, senior executive director of Robert Half Technology.
Once more, it’s about “tone at the top”
So one point to draw from this is that, above the technology involved, people management is required—and that sounds a lot like a senior management function. Which in turn sounds a lot like not only dealing with the threat of cyber attack, but having the preparation for it elevated to the highest levels of a company.
Which, again in turn, brings up the point: How can CIOs make their case that cyber preparedness not only is an operational risk issue, but an operational benefit issue?
• Ernst and Young, in a recent white paper tellingly titled “How To Use Cyber security To Generate Business Value,” takes on this question directly:
“If [CIOs] can prove that they are on top of the situation when a cyber attack does occur, they are likely to secure the gratitude of the board and the increased influence that can bring.
“But CIOs need to realize that their biggest strength—and potential weakness—in the fight against cyber threats is not their technology, but their people.”
EY’s paper provides these steps CIOs should take to make sure that their people are a security asset:
• Focus your defense on your organization’s people.
• Look at the risks to the business, not just to the technology.
• Make the people in your organization aware of cyber threats.
• Educate IT users on safe behaviors.
• Don’t just react—plan your response for when an event occurs.
Sources used in this article include: