It has always been knows by insiders that cybersecurity is not just a security issue, but after the “Year of the Data Breach” it became obvious to everyone that a data breach is a problem for every person and department in a company. Just off the top of our heads, HR has to deal with leaked employee data, marketing has to deal with the PR disaster, sales has to earn back customer trust and the C-suite has to implement the incident response plan.
The disconnect: C-suite and security
With an increase in data breaches each year and the effects of a data breach affecting every department, why is there still such a disconnect between the C-suite and security? A 2016 report from the IBM Institute for Business Value found that in C-suite meetings, nearly 60% of respondents “indicated they did not feel included in the topic [security] or participate during C-suite meetings.”
A 2014 EY report summarized the situation as such: “Competing demands, and an outdated understanding of the threats, crowd out the security discussion.” Specifically, the following were the reasons the C-suite was not addressing security during meetings:
- A crowded board-level agenda;
- Regarding cybersecurity as belonging to the IT silo;
- A misplaced sense of security that attackers won’t target their particular industry (e.g., hotels, grocery stores, etc.);
- Cyberthreats being overwhelming due to their complex and technical nature;
- Viewing cybersecurity as only a cost center; and
- The idea that organizations can be secure by stitching together enough defensive controls.
The C-suite and cybersecurity: Bringing them together
It is not all doom and gloom when it comes to the C-suite and security; a survey from PWC found that not only do a majority of companies have an executive in charge of security, but 46% of survey respondents said their board participates in information security budgets.
But how do we increase that number? Although it was probably not in your job description when you were hired, part of your job is bridging the gap between the C-suite and cybersecurity. It is your job to have the right conversations with stakeholders.
In one of our WebTracks webinars, security expert Andrew Plato shared with us how to communicate risk with executive leadership. Whether you just read our summary blog post or listen to the full webinar, you will gain a greater understanding of how you can speak up and get the C-suite better involved in security.