There’s a problem at the top. In too many organisations, responsibility for cybersecurity is muddled. Or even worse, it’s being assumed by the wrong person. Given escalating threat levels, the complexity of security environments and increasingly acute regulatory challenges, there’s an urgent need for clear reporting lines and a foregrounded role for the CISO.
With strong leadership at the top, it becomes easier to build that much-needed security culture organisation-wide, engrained by design and default into everything people do.
NTT Security’s most recent Risk:Value report was distilled from interviews with 1,800 non-IT business decision makers across the globe. It paints a confusing picture. Globally, 22% believe the CIO is ultimately responsible for managing security — slightly ahead of both the CEO (20%) and CISO (19%). In the UK, the biggest number of respondents believe the CEO (21%) is in charge, followed by the CIO (19%), with the CISO again in third place (18%). In the US (27%) and Norway (26%) even more respondents voted for CEO leadership in security.
We can deduce a couple of things from these findings. First, the CISO is still not viewed as a standalone leadership role, and second, executives are really split over who’s in charge. In fact, with the hiring of Data Protection Officers (DPOs) by many organisations to comply with the GDPR, responsibilities could become even more blurred.
Part of the problem may be that in many organisations the CISO still reports in to the CIO. This is starting to change. According to the CIO100 survey the number of CISOs who are seen as peers of the CIO more than tripled, from 5% in 2017 to 16% this year. But our findings show there’s still a lack of clarity on the separation of powers between CIO and CISO.
Whatever happens, organisations should not be handing responsibility for the cybersecurity function to the CEO. A non-expert managing this specialist role is likely to do more harm than good, and at the very least may delay crucial security decision-making as other critical responsibilities take precedence.
A bad time to lack leadership
Thanks in part to a lack of leadership, fewer than half (48%) of global organisations, and just 53% in the UK say they have fully secured all of their critical data. This is despite the potentially huge fines awaiting any who fall foul of the GDPR. It’s worth remembering that the average cost of a breach globally now stands at $1.5 million, up 13% from 2017. But this could rise many times higher if European regulators see something they don’t like.
A lack of cohesion at the top may also be responsible for the glacial pace at which organisations’ cybersecurity preparedness is moving. Just 57% even have a security policy to speak of, a single percentage higher than in 2017, while 26% say they’re working on it, versus 25% last year. Some 81% claim to have actively communicated this policy to the organisation, compared to 79% last year. It’s no surprise that the number of executives who believe their employees are fully aware of these policies has not changed since, standing at a poor 39%.
Security as a shared responsibility
The bottom line is that boards need to grasp the importance not only of cybersecurity itself, but also clear and effective leadership. Digital transformation efforts will fail if not built on a secure foundation. CISOs can help where possible by speaking in a language the board understands, which means talking in terms of business risk. Yet once the role of the CISO has been elevated to a standalone board position on a par with the CIO, that’s not the end of the story.
CISOs must cultivate a corporate-wide culture of security. This is easier said than done but should start with awareness-raising and training programmes for everyone — including temps, contractors and, of course, the board. In fact, according to our data, senior managers and executives are among the most likely to click on phishing links or engage in other risky behaviour.
Your employees increasingly represent the frontline when it comes to cyber threats. Attackers believe they are the weakest link and will relentlessly target them with phishing messages. With a critical awareness of where these threats lie, your employees can be transformed from a weak link to a great first line of defence, to be complemented by the appropriate security policies and controls.
Consider training programmes that use real-world simulation scenarios that can be tweaked to take account of the latest threats. These should be run in short bursts of perhaps no longer than 15-20 minutes. Also crucial is the process of collecting and analysing results and feeding these back to employees. Over time, you will hopefully start to see improvements and changes in behaviour.
Security should be everyone’s responsibility. So, on top of phishing awareness and other practical exercises, it pays to help staff understand the importance of their actions. One misplaced click could lead to major fines, customer attrition and ultimately potential job losses. The GDPR states that data protection must be engineered into everything a company does, by design and default. This should apply to cybersecurity more broadly. Helping to join the dots for employees so they can understand the impact of poor digital hygiene is just one way to build that organisation-wide culture of security that every CISO should aspire to.