IBM recently released the findings of its survey, Securing the C-Suite, which looks at the perceptions of cybersecurity at the board and C-Suite level. The study, based on 700 interviews with CxOs from 28 countries, across 18 industries, attempted to get an understanding of C-level insight on cybersecurity. The survey found that the C-suite is still under-involved in data security and cybersecurity. Only 17% of organizations had 4 key areas of preparation: a CISO, C-Suite collaboration on the cybersecurity plan, regular data security discussions at C-Suite meetings and regular discussions at the board level.
As we’ve seen repeatedly in the past year, C-Suite executives remained confident of their overall security posture, with 76% of CIOs and risk officers and 55% of CEOs stating cybersecurity plans are very well established. Given the lack of ongoing discussion on data security by these executives, it’s likely this is a symptom of overconfidence about data security, which can dangerously lead to complacency. Organizations believe they have a 1 in 4 chance of suffering a data breach that has a material impact, which both accepts a high level of risk and perhaps dents this statement of confidence.
As we’ve been postulating, one of the systemic issues facing organizations is the belief that data security is the responsibility of IT. This belief creates a division in the organization, leaving out key players who manage large amounts of data such as CxOs in marketing, finance and HR. As the IMB report suggests, this can lead to CIOs believing that technologies have solved the “issue” of data security (hence their higher level of confidence in security posture), while the business aspects on information management, education and policy could be overlooked. For example, only 57% of organizations surveyed had rolled out employee education on cybersecurity.
In the survey, 70% of respondents believe rogue individuals make up the largest threat to their organization, which we agree with. The survey contrasts this with another figure from a UN report from 2013 which suggests that cybercrime is largely driven by organized crime rings. While the report attempts to use this figure to highlight an incorrect assumption of risk, we would counter that the two figures are not mutually exclusive. Indeed, more recent reports have conclusively tied most cybersecurity incidents back to people – that insiders inadvertently, maliciously or negligently create opportunities that cybercriminals then exploit.
Studies have proven that technologies, policies and education are more effective if they culture of security begins at the board and C-suite level. This top-down prioritization of data security as a business issue, not a technical issue, has been proven to be a key differentiator in organizations being able to create effective policies and actions to tackle security gaps.
The most secure organizations are ones where there is a culture of security that is embedded top-down, where every employee, from the board to the mail room, understands their role in protecting corporate data, with tools that both support, enable and protect data wherever it resides. To learn about how Absolute can help your organization get there with tools to support security and data risk management for the endpoint, visit our website.