Trouble at the top

The cyber security challenge facing the c-suite

Today’s board and C-level executives are well aware that cyber security is a growing threat – a game of cat and mouse where the nimble cyber criminal often outwits its larger, more passive foes. It’s not a question of if an organisation is going to be hit by a significant breach, but when.

To find out more about how well the dangers were perceived, Nominet engaged Vanson Bourne to investigate. On our behalf they interviewed over 400 board-level executives at significant-sized companies in the UK and the US, roughly equally split across a wide range of business sectors.

Broad outlook

The key point is that the revelatory findings in are those not of CISOs, but other C-suite and board level members:

  • Business Owner
  • Chief Executive Officer (CEO)
  • Chief Operations Officer (COO)
  • Managing Director (MD)
  • Chief Financial Officer (CFO)
  • Chief Technology Officer (CTO)
  • Chief Marketing Officer (CMO)
  • Chief Compliance Officer (CCO)
  • Chief Risk Officer (CRO)

It should be noted that in some of the respondents (CTO and CRO, for instance) may have a CISO or other high-level cyber security manager reporting into them, but for the vast majority this was not the case. We therefore knew we were getting the views of those in positions of great responsibility, who would be severely affected by a major cyber security catastrophe, but unlikely to be experts in the field.

View from the top – survey highlights

A major theme that came through, and one that Nominet CEO Russell Haworth blogged about in June 2019, as the report was released, was that those heading up major organisations need to tackle cyber security together.

It’s unreasonable to expect every C-suite member to become as expert at cyber security as the CISO or CIO. But, just as the CFO expects everyone on the team to know enough management accounts and basic finances, so that they can understand the CFO’s issues, there needs to be enough awareness and understanding for the threats, risks and possible outcomes of a full-on cyber attack on the organisation.

It was pleasing to see that this is already being recognised, with over than eight in ten respondents saying that they were always or often ‘actively involved’ in cyber security decisions and activities of their organisations. The highest percentages were recorded in the retail and life sciences & pharmaceuticals sectors.

The boardroom battle for cyber supremacy

Take a look at our original research, focusing on the views of over 400 c-suite executives across the UK and US

 

Awareness, but with resignation

Awareness of cyber security as a key issue appears high, with more than three-quarters of respondents believing that a security team is “must have” and over 80% featuring the topic at board meetings monthly and over half featuring it more frequently.

The other side of that coin is that the vast majority (90%) believed that their business was lacking at least one key resource that would enable strong defence against cyber attacks. Just over three-quarters believed that security breaches are “inevitable” in their company.

The CISO view

Separate research we commissioned, asking CISOs about their work, revealed their worry that the level of expertise at board level is falling behind – or, perhaps more accurately, malicious cyber techniques and attack technologies are moving at too quickly for people to keep up. The sheer volume and relentless nature of largely automated attacks also contributes to wearing people down. This is understandable when other board members are, in all fairness, judged on their responsibilities in running their own section of the business, not cyber security.

That research highlighted the inevitability of eventual breaches too, although CISOs are more likely to pinpoint a lack of resources as a major cause. It also pinpointed the patchy nature of cyber security understating at board level and concluded that this all contributes to significant pressure on CISOs, with many finding it hard to cope.

Bringing it all together

The data from these two surveys was recently combined into our ground-breaking report Trouble at the top: The boardroom battle for cyber supremacy. Focusing on the people behind successful organisations is rare, with regard to the cyber security epidemic at least.

The report concluded that there is both good and bad – the good is that boards are awake to the dangers; the bad is confusion over accountability at the top for cyber security, particularly when breaches occur.

There was an ugly too – the toll being taken on the health and well-being of CISOs, the people who are quite literally on the firing line. Over a third of CISOs believe they would face termination or serious action were a significant breach to occur.

Getting help

Nominet’s interest comes from making its network and organisation protection mechanism, NTX, available to businesses. Using deep DNS analytics and fed by data science-led research, NTX forms a protective layer around the network that immediate protects devices on the network (regardless of type or operating system) from any malware, phishing and data theft that uses DNS.

As the UK’s National Cyber Security Centre has determined that “nearly all” malware uses DNS at some point, DNS analysis, done correctly, is a terrific way to predict, detect and block malicious software, both known and unknown.

NTX also seriously shortens the time between the release of a new threat and its detection (“dwell time”) and this alone lifts a lot of the pressure from the shoulders of CISO and board members.