Cybersecurity is rarely out of the spotlight these days. As cybersecurity incidents increase, so too does awareness at every level from the boardroom on down that this is a problem that needs close attention. The C-suite is waking up to the fact that even one data breach could lead to financial loss and a tarnished reputation―whether the organization exists in the private, public, or not-for-profit sector.
Although executives are increasingly acknowledging the need for sound cybersecurity practices, there is still huge disparity as to who should be responsible for keeping a watchful eye. The 2018 Global Economist Intelligence survey of over 450 companies conducted by Willis Towers Watson found that almost 40% of executives and directors felt that the board should oversee cyber, compared with 24% who felt it should be the role of a specialized cyber entity overseen by the chief technology officer (CTO) or chief information security officer (CISO). A small portion of respondents surveyed believed it should be the responsibility of audit, risk, or some other subgroup.
Traditionally, CISOs have owned responsibility for risk management, resilience, and recovery. They have predominantly come from technology backgrounds, which have put them in a good place to be gatekeepers of security initiatives and best practices. However, in an increasingly disruptive business environment, CISOs are now tasked with balancing security concerns with the need to be at the forefront of digital technologies in order to remain competitive and innovative.
Security has always been and will undoubtedly continue to be a core element of any CTO’s role. But, again, the scope of their responsibilities is broad and doesn’t enable them to focus enough attention on cybersecurity.
This Brings Us to another Question
As the responsibility conundrum drags on, executive teams and board of directors are also asking themselves: What can we do differently to avoid being the next major data breach, and protect our shareholder value?
Even though businesses across all sectors rank cybersecurity as their most pressing issue, the typical cybersecurity budget is profoundly underfunded. Steve Vintz of the Harvard Business Review puts it in perspective this way: “IT budgets are typically 3-7% of a company’s revenue, and security budgets are typically 5% of IT spend. In other words, the average company allocates just over 1% of revenue safeguarding against potentially catastrophic attacks.”
Maybe it’s time for the chief financial officer (CFO) to join forces with the CISO and CTO to gain an understanding of security risk and the financial costs associated with it. Right now, there seems to be a disconnect between many CFOs and security practitioners when it comes to strengthening the cyber defenses of the entity against attacks. It’s the number crunchers versus the techies. The former is obsessed with spending and bottom lines, the latter is always on the lookout for new digital toys to implement.
Ultimately, Cybersecurity is in Everyone’s Best Interest
No matter how you look at it, different organizations place the responsibility for cybersecurity with different roles. This largely depends on what the organization does, its culture, and its size. When the reality is everyone needs to be a good cyber steward.
It’s no longer an option to simply leave cyber responsibility to the “experts” within the business. All hands should be on deck when it comes to following set protocols, practicing good cyber hygiene, and knowing how one’s job plays into the landscape of cybersecurity. Although the challenge of security is a company-wide one, whoever has overall responsibility needs to be sufficiently and specifically trained in cybersecurity.
Additionally, the CISO, CTO, and CFO must work alongside one another to help foster an overall culture of cyber awareness, vigilance, and preparedness across the business. This includes not only discovering what is already in place in terms of cybersecurity practices and procedures, but also ensuring that the right people―from frontline employees to top management, processes, and technology are in place.
When it comes to cyber responsibility, organizations shouldn’t think in terms of just one role but rather a collaborative effort across the business that takes into account such things as the size, maturity, and complexity of the organization.