The latest wave of high profile data breaches has put IT security on many business leaders’ agendas. What was once a ‘backroom’ conversation around firewalls or data loss prevention tools, is now becoming a board level discussion around risk assessment and management in more and more organisations. This is no doubt welcomed news for CIOs who have been campaigning for support from senior levels to ensure security gets the focus and attention it needs.
CEOs on board
PwC's 2015 Global CEO Survey found that 61 per cent of CEOs are concerned about “cyber threats, including lack of data security”. Cyber security was listed third in level of strategic importance (78 per cent), just behind mobile technologies for customer engagement (81 per cent) and data mining and analysis (80 per cent). Additionally, 53 per cent of CEOs reported cyber security as being “very important” strategically.
A look at PwC’s 2016 Global CEO Survey results released in January show just how much the involvement of top executives has evolved in the space of 12 months. This year’s survey found a double-digit uptick in board participation in most aspects of information security. 46 per cent of CEOs state that they participate in information security budgets (which may have contributed to this year’s significant boost in security spending discussed in a previous blog).
For the CIO, the increased importance placed on IT security by business leaders means being prepared to answer a lot of their questions about risk. Michael Friedenberg, President and CEO of IDG Communications, lists five security-related questions CIOs should expect from the board:
- What actions are we taking to protect the company from the high risks associated with cyber security incidents?
- What is our specific plan to address cyber security across our business? Are our employees properly updated and trained?
- If (or more likely when) a breach occurs, what is our response plan? (Internal and external.)
- Do we have the right security talent on board? Are we structured properly to avoid (or reduce the impact of) a breach?
- Have we quantified our risk exposure? (Both hard costs and soft?)
Since cyber security is now a business issue, CIOs need to be prepared to answer CEOs’ questions in the ‘business’ language of dollars, cents and risk. It’s vital that these discussions are focused on the risks to the business or a security or data breach, as opposed to the technology required to minimise the risk. As such, today’s CIO needs to have expertise not only in security but also risk management, corporate governance and overall business objectives.
Security is no longer just the realm of IT – it’s becoming an increasingly common topic of discussion at boardroom tables. This deepened executive involvement has the potential to improve cyber security practices in numerous ways, including the identification of key risks, helping to foster an organisational culture of security, and better alignment of information security with overall risk management and business goals.
CIOs have an opportunity to add real strategic value to their organisations by having frequent, productive conversations around cyber risks with business executives and overseeing the effectiveness of controls deployed to mitigate them. This starts with designing a robust IT security risk management program. To learn how you can prepare your organisation across the attack continuum – before, during, and after an attack – download our complimentary how-to guide: 'Security in a world with no perimeters'.