Those of us fortunate enough to be part of the C-suite of a large organisation are facing some of the biggest challenges we have ever seen. We are grappling with risks that simply didn’t exist a decade ago. We are encountering foes that are neither visible nor tangible, yet remain relentless in their efforts to inflict damage and infiltrate our systems in ways few of us completely understand.
Cyber attacks are the unfortunate by-product of digital transformation, and cyber security is now one of the top priorities for most organisations. For many of us in a leadership position, this is a largely unknown realm and yet one that we must step up to take responsibility for as best we can. But are we succeeding? What is truly happening within the C-suite and Board? And are we getting it right when it comes to cyber security? These are some of the questions that led Nominet to conduct new research, the report of which has now been published; ‘Trouble at the Top: the battle for boardroom supremacy’.
There is no denying that the incidence and severity of cyber attacks have skyrocketed in the past few years. When it comes to an organisation’s chance of avoiding or withstanding one of these pernicious onslaughts, the team at the top – and their approach to the risks – are pivotal. Encouragingly, the majority (76%) of the C-level executives we surveyed in the UK and US are of the mindset that cyber attacks are inevitable. This is important, as acceptance is the first step in being fully prepared.
Another positive finding was that the main concern for the C-suite is the loss of customer and client data, with 64% listing this as their top worry. Within the current climate of customer disgruntlement about misuse of data, it’s good to hear that many businesses are taking your data – our data – seriously.
Where the C-suite struggles is with resources required to meet the risks we face. Almost all of the people we spoke to (90%) said they lacked at least one resource to defend themselves against cyber breaches, the most common of which being advanced technology (59%). This chimes with our previous research into CISOs specifically, who also admitted they needed more to defend the organisation fully.
The CISO is a crucial player in the exploration of top-level management as there remains a level of inconsistency, across all industries, about exactly how much power and responsibility the CISO should and does have. Too many are under pressure and unsupported, and it’s taking a toll on their health and wellbeing: almost 90% of CISOs we spoke to are working longer than 40 hours per week and 27% admitted that the job stress was impacting their physical or mental health.
Some of this comes from feeling undervalued. Only half of the CISOs felt the rest of the executive team valued the security from a revenue and brand protection point of view. That said, our new report has found that the CISO often has more support than they realise: 52% of CISOs don’t feel they are viewed as a ‘must have’ by the Board, but 76% of their C-suite colleague believe they are.
Clearly there is a disconnect within the group who manage and drive the business, and this feeds into a confusion about who takes responsibility for cyber security. When our research asked who was ultimately responsible for information security, 35% said the CEO while 32% said the CISO. Only 3% accepted the fact that no single person takes the full burden; cyber security is a team game.
There are some immediate conclusions we can draw from this, and it echoes some of the things we have been told by CISOs themselves in our interview series. The C-suite needs to communicate better, educate each other, and recognise their individual limitations. While 71% of the C-suite admitted to gaps in their knowledge of the main cyber threats, only 38% would support the security team in resolving it, while a quarter would simply terminate the contract of the accountable employee. This is not a sustainable way to approach leadership, nor manage the risks of cyber threats. We need to pull together if we truly want to do the best we can for the business.
Let me be a case in point: I am an experienced business leader. I will take responsibility for the important business decisions, but I also draw on the expertise and deep knowledge of the talented people I have hired, especially the technical experts in information security. I use those around me to advise on cyber security, I empower those with specialist skills to take charge of the things they understand, and together we find the right solutions for them and for me, for the business and the Board.
I hope Nominet’s new research will start to provoke discussions and encourage more C-suites to assess their own behaviours and find ways to improve their processes. Change will involve talking and listening, creating clear lines of command, identifying responsibilities, and recognising our own strengths and weaknesses within our role.
If those at the top start joining the dots, I believe it will be transformative for the cyber resilience of the business, the mental health of the CISO, the confidence of the leadership and – subsequently – the atmosphere and optimism of the whole staff. Finding strength in unity could be the gamechanger when it comes to the never-ending task of keeping a business cyber secure in these challenging digital times. We work together; we win together.
Download the full report ‘Trouble at the Top: the boardroom battle for cyber supremacy’ on our website or read more about the challenges for the CISO on our blog.