The C-suite is increasingly paying attention to cyber risks, sometimes even getting presentations directly from the the infosec team.
But are they learning enough? No, according to a just released report by IBM.
In a study of 700 C-level executives in 28 countries — excluding CISOs — the company concluded many leaders are confused about who the true cybersecurity adversary is and how to effectively combat them.
Seventy per cent of CxOs questioned thought that rogue individuals make up the largest threat to their organizations, perhaps spurred by many recent reports that underline the threat of insiders. But, the report points out, IBM’s 2015 annual cyber report found only 31.5 per cent of data breaches are attributable to malicious insiders. According to an IBM press release that accompanied the report, the United Nations says 80 per cent of cyberattacks are driven by highly organized crime rings.
And while 54 per cent of respondents acknowledged crime rings were a concern, they worry almost equally about the potential threat of competitors.
The study concludes that key executives need to be more engaged with CISOs beyond planning for security, and take more active role. “Understanding the enemy helps optimize risk management and investment in security solutions,” says the report.
Among other interesting findings:
–Only 57 per cent of chief human resources officers said they have rolled out cybersecurity training for employees. “As the stewards of sensitive employee personal information, which is highly coveted by hackers, CHROs should be at the forefront of their organizations’ cybersecurity efforts.” the report says.
— 68 per cent of CEOs expressed an aversion to share incident information externally. However, the report argues greater external collaboration among organizations can speed the development of collective knowledge and insights on threat actors and their strategies. “Leadership needs to address the aversion to responsible sharing with appropriately vetted external parties, creating the opportunity to leverage analytics and apply increasingly sophisticated cognitive capabilities to strengthen and automate security solutions and help to mitigate risks.”
–There’s a cybersecurity confidence paradox: Overall, 65 per cent of C-suite respondents are confident that their organization’s cybersecurity plans are well established. However, some are more confident than others. Seventy-seven per cent of Chief Risk Officers (CROs) and 76 per cent of CIOs are chipper, compared to slightly over half of CEOs.
–Six per cent of respondents believe no possibility exists for a breach that would materially impact their organizations.