Why is a Dialogue Between CISOs and Business Executives so Important for Effective Business Governance?
July 13, 2017 / By Romain Isaac
The role of the CISO, Chief Information Security Officer (or CTO), is essential when adapting the IT infrastructure of businesses. It is increasingly common to stress the importance of the role of the CTO when defining new methods of work organization and management, especially when for highly strategic and confidential data. According to a recent study conducted by The Economist Intelligence Unit with more than 200 company executives and department heads, the CISO is now understood to be a strategic player who, together with management, facilitates the electronic changes necessary for the adaptation of professions.
Yet, even if 83% of today’s executives see the value of the information system for security, driving profits and the overall governance of the business, “information management is still seen as a support function rather than a strategic asset”, according to the Economist Intelligence Unit.
The role of executives in corporate cybersecurity
A study conducted by the Cercle Européen de la Sécurité et des Systèmes d’Information points to the disparities in the perception of responsibility between IT managers and business executives when discussing cybersecurity. Executives are under the false impression that their company is already preventing cyber threats. However, this view is not congruent with operational reality, where the executives themselves are in fact impeding cybersecurity policies.
This can be explained by the executives’ notion of protection when facing risks: 80% consider their company to be sufficiently protected and more than one in two managers see their security policies as being proactive. However, among the symptomatic elements in the gap between the two parties, the responsibility in the case of a threat is altogether typical. Both parties believe the other to be accountable: 35% of executives believe the responsibility falls on the CISO but 50% of CISOs believe it to be the reverse.
A significant disparity between CTOs and business executives when estimating the cost of a cyber attack
There is a real lack of knowledge surrounding this issue. According to a study carried out by Palo Alto Networks among 765 business leaders with over 1,000 collaborators (in Germany, France, the UK, Belgium and the Netherlands), only 13 % of executives “somewhat” understand what a computer security risk would do to their company while admitting that they “still need Google to help explain it”. For their part, one tenth of employees believe their executives have no real understanding of the subject, or at least a sufficient understanding that would actually protect the company.
When it comes to calculating the cost of a cyber attack, CISOs and executives don’t see eye to eye. CISOs estimate the cost of a cyber attack to be an average of $19.2 million. Management believes it to be $11 million. This inconsistency is reflected in the investment forecasts for cybersecurity. 82% of IT departments see this as part of the overall strategy. Yet only half of executives share this opinion.
Working toward a culture of cybersecurity adopted by the entire company
Implementing effective governance requires the adoption of solutions in consultation with the entire value chain of the company. A paperless board, in particular, is beneficial at all organizational levels of the business.
Reduce the workload of corporate secretaries
Reduce the prep time for the board (4 hours for a paperless board versus 16 hours on average with a traditional board)
Better performance of board members
Pertinent and proactive security in the context of growing cyber attacks
Significant savings in management expenses: savings of up to 37% when the board of directors is actively involved with cyber security (source: Hewlett Packard Enterprise)
A well-managed IT security strategy has positive effects on the entire company. As David Allison, cybersecurity expert points out, “security needs to be a culture that is disseminated throughout the organization. It’s up to the CEO to put that culture in place. The Chief Information Security Officer defines and implements the strategy that meets this need – and each employee is responsible for adopting and monitoring the required practices.”