Top Security Concerns Executives Need to Address
Cybersecurity should be on everyone’s list of concerns, but for executives, it should be managed as a business risk and not just a technical issue handed off to the IT department.
There seems to be a disconnect on what cybersecurity teams are saying and what their company’s leadership is hearing. 94 percent of cyber security experts think that executives act on their advice, but only 74 percent of executives say they take guidance from those same teams. There are a number of reasons why this gap exists, including executives still treating IT security like a cost center, not understanding that security is a business enabler and risk, or that security decisions are too technical and need to be made by IT professionals.
Paying attention to top threats
When I read articles like this, I usually skip past the top sections that set up the rest of the article’s point. I say to myself, "just get to the top security concerns, I don’t need all of these statistics and marketecture slides." Well, I think that is part of the problem with executives: ignoring the fact that security threats are a business risk, simply "skipping" the stats and passing it along to the IT guys.
Let’s look at the facts. Cybersecurity concerns have been in the top five business threats for years, and 2020 is no exception. Below are the top five business threats for this year based on a study by PWC.
When the focus of board-level discussions turns to cybersecurity, it takes on a new meaning and the responses to those threats change dramatically. Instead of just looking at tools, controls, users and data, we now focus more on things like risk management, revenue enablement and shareholder value. The struggle then becomes how to align those IT technical controls with the board-level concerns.
In a survey, only 6 percent of CEOs recognized that they had experienced a data breach, while 63 percent of CISOs noted a data loss event. And on the other side of that discussion, only 26 percent of CISOs indicated that their company was ready to respond to a cyber threat, while 44 percent of CEOs thought their company was capable of a rapid recovery.
Globally, 40 percent of companies cited their C-level employees (including the CEO) as their highest cybersecurity risk! A good exercise for you to try if you are an executive wanting to understand more about your cybersecurity posture is ask yourself some questions:
- How will your business respond if it is hacked?
- What are your top three business concerns for security, and do you know what threats map to fix those concerns?
- Can you really answer the question, "are we secure?”?
- Do you have a formal plan of action and have you read it and understand the steps?
Top security concerns: It’s just business
As part of our Global Security Advisory practice, we get to work with CxOs and teams from around the world on their concerns, security strategies, objectives and programs and we find that there are consistent themes when it comes to top security concerns. But when you ask different Chiefs the same questions, you get different answers. Ask the CFO what her concerns are, you may get "security liability." But if you ask the CMO, you might get "our brand and reputation is the top concern," and even more answers from the CEO, CIO and CISO. This is why a business level strategy, not just a technical one, requires CxO alignment and planning.
WWT offers executive alignment workshops on security strategy that allows us to help our clients with those questions and map their risks to their business goals. However, one thing we always want to do is take a look internally as well.
So I thought I would ask Jim Kavanaugh, a Glassdor top CEO, to let us know what his three security concerns are for WWT’s business. Here are his thoughts:
- Focus on growing our business with speed and agility while also being secure in all areas of the business.
- Making sure we are secure but also flexible, fast and innovative when enabling the remote workforce of the future.
- Leveraging all aspects of cloud computing and public cloud providers, while also making sure we don’t become more vulnerable in the process.
When reading those concerns, did you notice the focus on data access, firewall policies and VPNs, and all that talk about how phishing, ransomware and Zero Trust architectures are the top threats? No? Alright, that is a little facetious, but you get the point.
CEOs are looking at the impact security has on the business and its ability to respond to markets and trends, not "speeds and feeds" of controls. So why is it that we tend to focus on solutions before we understand the problems?
There are literally thousands of research papers, documents, studies, surveys and white papers about top security threats, so I am not going to put a list here of those threats, because it would not be comprehensive and also because it may not apply to your business. But you saw the title of this article and thought, "I want to know what the top security concerns are for my executives." That is when I would tell you: then ask them what they are, just like I asked our CEO.
I would also recommend that you have a plan to do so — a methodology on how to get to those answers and that it has value in helping to address those concerns. I won’t give you your list of concerns, but I there are a few that I have been given through our executive workshops and other engagements that could start the conversation.
CISO, Top 5 Consumer Products Company
- Third party risk management.
- Consumer data protection is the new normal.
- DevOps, governance and protecting the ecosystem of company assets.
CIO, Top 5 Manufacturing Company
- Formal risk management programs that are not too complex to implement.
- Ensuring that business requirements are defined before selecting solutions.
- How to manage the changing compliance and privacy environments around the world.
CIO, Small Business, Printing and Marketing Materials Production
- Ensuring that our business has the same security posture as larger companies.
- Trying to balance the costs of needed security controls with other demands for budget.
- Finding the right security staff that is trained and ready for security incidents.
CMO, Mid-Sized Financial Company
- What would happen to our brand if we had a major security event? Are we ready?
- How can we use all the investment we have made in cybersecurity to increase revenue?
- Are we meeting our compliance requirements for client data privacy?
Taking the next steps
As you've hopefully learned, each executive's role can determine their top security concerns. If you are an executive, I would encourage you to write down your top security concerns and share them with your teams, so that they know what your focus is. You can also get input from other members of your security team and then create a comprehensive security risk strategy that you can share with those on your IT and security teams to give them direction.
If you are an IT or a security professional and would like to align your goals with your executives', I would encourage you to promote an Executive Alignment Workshop. We can help you with the plan and methodology and even give you a clear report of the results to align your technical goals, gaps and risk with those of the business. The results you'll see include better budget alignment, more focus on security programs and projects that you know need to be addressed, and a real world enablement of users to be secure while increasing your cyber culture.
If you take some of these next steps, let us know by commenting below on how it is going and what results you are seeing with your alignment project. It would be great to share in your success, as well as discuss your roadblocks!