A recent report says the C-Suite is paying more mind to security issues, but other reports contradict those findings
While worldwide spending on information security products and services grows annually, the focus on security as a business priority has been slower to catch on. The idea that security is a shared responsibility throughout an organization sounds good in theory, but, in reality, many security leaders observe that this sentiment is often lip service.
However, there may be a shift in thinking in executive management. New research from Radware finds that cybersecurity is now recognized as a key business driver by the C-Suite, with 98% of C-suite executives noting they have some management responsibility for security. The report also finds a majority (72%) of executives surveyed say information security is an agenda item for every board meeting.
The report, which includes insights from 263 senior leaders at worldwide organizations, primarily with revenue of more than $1 billion USD/EUR/GBP, also digs into the key impacts that executives worry about, which drive the high-level emphasis on security. The concerns include:
- Customer loss – 45%
- Brand reputation loss – 44%
- Revenue loss – 32%
- Operational loss – 32%
“What we are seeing now is that the rest of the C-suite is recognizing the impact that good (and bad) cybersecurity practices can have,” said George Wrenn, CEO and founder of CyberSaint Security. “As headlines herald massive breaches like Marriott and Equifax, followed by the hearings and eventual firings and stock downgrades, business leaders are rightfully concerned.”
Accountability, and Jobs, Are Now on the Line
“Public scrutiny of business leaders is at an all-time high due to massive hacks and data breaches at some of the world’s largest organizations,” said Steve Durbin, managing director of the Information Security Forum. “It’s become progressively clearer over the past few years that in the event of a breach, the hacked organization will be blamed and held accountable. That means everyone in the C-suite is potentially at risk to find themselves on the chopping block.”
And attention paid to security is not just an internal focus anymore. The report finds 75% of executives report that security is a key part of their marketing messages.
“Large companies should be particularly concerned because when they suffer a cyberattack, even an unsuccessful one, it is news,” said Dror Fixler, CEO of FirstPoint Mobile Guard. “It can impact sales. Marketing may need to manage a social media crisis. The brand will no doubt take a hit.”
Organizations Still Struggle to Prioritize Security
But the results from Radware are one perspective on an issue that often receives mixed feedback from security executives in the field. And, they do seem to brush up against findings in a 2018 Accenture poll of more than 1,400 C-suite executives, which revealed that organizationwide lack of communication and shared understanding of security is common. Among the revelations in the Accenture report:
- Only 25% of non-security executives claimed that their business unit leaders currently shared responsibility for security.
- Only 38% of companies bring the CISO into all discussions at the beginning stage of considering new business opportunities.
- Only 40% of CISOs polled said they always confer with their business unit leaders to understand the business before suggesting a security approach.
Security researcher and consultant David Lee Djangmah noted he thinks the Radware survey misses many major points, including the need for human resources to take a more active role in promoting security throughout an organization and hire strategically.
“Elevated risk intelligence doesn’t imply risk maturity,” said Djangmah. “Security being a key component marketing strategy or recurring agenda item in every board meeting is irrelevant to malicious actors happy to exfiltrate your data and take advantage of fundamentally flawed infosec hiring.”
Long Way to Go Before Security Gets the Focus It Needs
Mike Polatsek, CSO and co-founder of CybeReady, disagreed that security has solidified its place in executive mindshare.
“Unfortunately, security hasn’t become a shared responsibility across top management functions yet,” he said. “In most companies, information security teams are solely responsible for implementing and operating security solutions, and are often struggling to raise awareness and foster buy-in from other executives.”
Jason Clark, chief strategy officer of Netskope, believes the journey to complete executive buy-in for security is only just beginning.
“Even though more C-suite executives now recognize security as a key business driver, we still have a long way to go in making security a shared responsibility across the entire management team. In order to achieve this, CISOs need to develop relationships with each of their fellow C-suite partners and find out what motivates them,” he said. “Ask what their goals are, how they drive value for the company, what their strategy is, and what their biggest concerns are regarding security.
“Once CISOs figure out how they can help each member of the C-suite do their job better, they can commit to doing so on the condition that these other leaders bring the CISO into their business processes earlier,” he continued. “Helping other business leaders understand the impact that security has on their own successes is the first step towards (sic) creating a shared responsibility model across the C-suite.”