It’s clear by now that IT executives take cybersecurity threats seriously, at least in the abstract. The most recent SIM IT Trends Study, which surveys industry IT leaders, found that security is among the main issues keeping them up at night and is one of the biggest investments IT departments are making.

But given that security threats now exist far outside the IT department, it’s not enough for just IT leaders to take them seriously. Every department needs to be involved in the discussion, and that involvement should start within the C-suite.

While IT executives might have a firm grasp of current threats against their organizations, not all their non-IT colleagues share that same knowledge, according to a recent IBM study titled “Securing the C-suite.”

Researchers from IBM’s Institute for Business Value surveyed 700 C-suite executives from 28 countries across 18 industries to assess non-IT executives’ understanding of the security threats facing them and their preparedness for such threats.

IBM executive security advisor Diana Kelley co-authored the report. She got her start in cybersecurity more than two decades ago when working as a network administrator for a Cambridge startup.

“They were doing updates over the internet, and then some creeps broke into my network,” she recalled. “So I went overnight from being a network admin to a security admin.” Four years ago, she joined IBM’s 7,000-person security team to advise IBM customers on best practices and threats.

As part of this role, Kelley also works with internal teams to conduct and publish industry research. She explained that IBM conducted the “Securing the C-suite” study to help CIOs and CISOs communicate to the rest of the C-suite the importance of system-wide security collaboration.

“We wanted to help the non-security C-suite members to understand what’s really happening,” she said. ‘We can also help the CISO to understand how to talk to the C-suite, because if they see where the perceptions and disconnects are, this can make us all potentially stronger.”

So where are the disconnects? What are some of the signs that your organization isn’t truly prepared for realistic security threats? The report identified several of the most significant signs your organization isn’t prepared for a cybersecurity threat.

You’ve misidentified the actual threats. If your C-suite doesn’t know where threats originate, then it won’t allocate the appropriate resources to address them. For instance, 70 percent of executives surveyed ranked “rogue actors” as their gravest risk. “We sometimes jokingly refer to them around here as ‘the hacker in a hoodie,’ like someone out of the show Mr. Robot,” said Kelley. “It’s the idea of this rogue guy in a dark room doing terrible things. The reality is that cybercrime is a huge business, and 80 percent of the threats are coming out of very organized groups.”

This misperception matters because executives underestimate the time and resources of those trying to hack them. “They think they’ve got an adversary who’s working essentially alone and probably doesn’t have a lot of funding. But your real adversary is incredibly well-funded,” Kelley says.

You don’t have a CISO. The chief information security officer is still a relatively new role, and most organizations still haven’t hired to fill it. And if an organization doesn’t have a CISO, it’s less likely to have implemented a comprehensive cybersecurity program that engages every department.

“To us who work in security, it just seems so obvious,” said Kelley. “But to have objective, quantifiable data actually bear that out was really quite powerful. So now we can say hiring a CISO is worth it, and there’s data to back it up, not just our opinions.”

Not every C-suite member is involved. The survey found that not every member of the C-suite was likely to be closely involved with cybersecurity planning, especially those who oversee financial, customer and employee data. “The three key executives who are responsible for the data most coveted by cybercriminals — CFO, CMO, CHRO — are the least engaged,” said Kelley. “So why are they not more involved? The more involved a group is in the conversation, the more cyber secure they are.”

You’re not willing to share information. About two-thirds (68 percent) of CEOs surveyed said they were reluctant to share information about cybersecurity threats they have faced with other organizations.

“Greater external collaboration among organizations can speed the development of collective knowledge and insights on threat actors and their strategies,” wrote the study’s authors. “Leadership needs to address the aversion to responsible with appropriately vetted external parties, creating the opportunity to leverage analytics and apply increasingly sophisticated cognitive capabilities to strengthen and automate security solutions and help to mitigate risks.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Simon Owens

Simon Owens

Simon Owens is a technology and content consultant for the Society for Information Management.