When you think about the recent ransomware incident at the Hollywood Presbyterian Medical Center, where they had to pay hackers over $17,000 to regain access to patients’ medical records and control over their systems; you get a really good look at what it means to think of security as secondary to your organization’s operations.
A proactive and holistic information security posture is fundamental to protect your data, but also to avoid disruption in your day to day operations. Additionally, an organization with a good security strategy is trusted by their customers, investors and/or potential business partners. With this knowledge, it seems highly unlikely for security executives and the C-Suite to be on a different page when it comes to cybersecurity; yet a recent IBM study shows that this seems to (still) be the case.
Disconnect in the level of confidence with the cybersecurity strategy
While 77% of Chief Risk Officers and 76% of CIOs/CTOS report that their firm’s cybersecurity strategy is well established, just 55% of CFOs and 51% of CEOs report the same. Additionally, while 50% of CEOs agree that collaboration is necessary to combat cybercrime, just one third of them are willing to share their organization’s cybersecurity incident information externally.
Cybersecurity strategy alignment across all departments missing
Around 60% of CFOs, CHROs, and CMOs accept that they and their divisions are not actively engaging in cybersecurity strategy and execution. Due to the sensitive data marketing, human resource, and finance departments manage; they are key targets for cybercriminals. This means these department heads should jump on the opportunity to work with the security team to ensure maximum protection for the sensitive data they handle; in addition to caring about their overall organization’s ability to secure the business environment and operations from cyber threats.
Only 57% of CHROs have rolled out cybersecurity training for employees. It was also found that even though 94% of C-Level executives seem to understand the scale of a security threat, only 17% feel prepared and capable to respond to them. When every security expert is talking about the human component and how important training is to get everyone to understand and implement good security, one has to wonder why the lag in setting up routine training sessions or at the very least easily accessible ones. Also, when it becomes clear that the C-Level executives don’t feel prepared for cyber risks, that should be an even bigger incentive to organize these types of security learning opportunities.
Mobile device security and more still a big headache
For the C-Suite the biggest cybersecurity threat are employee mobile devices, followed by social media for 57% of executives, and next 54% of executives seeing the biggest threat to be channel systems. Also, 47% of the C-Suite believe enterprise mobile apps and cloud-based apps are the riskiest part of the IT infrastructure, next comes vendor/partner system integration points at 42% and lastly, data/analytics apps at 38%.
With all these different takes on what’s the biggest security threat or departments not being engaged in cybersecurity execution with their security teams, it seems that CIOs and the C-Suite continue to lack in producing a cohesive and unified risk management plan. This does not go in an organization’s favor, especially when cybercriminals collaborate together and share information on the dark web and elsewhere.
The sooner security executives and the C-Suite start working together to implement a holistic security posture to combat threats and vulnerabilities, the sooner they can start sleeping a little better at night. It’s understandably challenging to implement something like cybersecurity, something that is continuously evolving due to its digital nature; but that’s also why the sooner businesses get started on it, the better they can get at keeping up with the cyber world and the threats that come with it.
Do you need help talking about information security with the C-Suite? And what other disconnects do you find continue to exist within organizations that are preventing a solid risk management plan?
Photo Courtesy of donskarpo