Chief executive officer (CEO) confidence regarding an organization's ability to detect and manage cyber concerns far outstrips that of chief information security officers (CISOs) – a disconnect that puts organizations at risk of cyber attacks, according to research released by Unisys Corporation.
The ‘Cybersecurity Standoff – Australia’ research explores insights from 88 CEOs and 54 CISOs, predominantly from Australia's small-to-medium business (SMB) sector that forms a critical part of physical and digital supply chains. The responses indicate that many Australian CEOs still view cyber security in tactical terms and are failing to incorporate the protection of essential digital assets into strategic planning.
For example, while 69 percent of CISOs believe that cyber security is viewed as part of the organization's business plans and objectives, just 27 percent of CEOs agree with this statement. In addition, a quarter of organizations with a board do not report cyber security on a regular basis, and just 6 percent of all survey respondents see the role of their cyber security frameworks as tools to enable business and support growth.
"Lack of communication is a fundamental cause of this type of disconnect between the CEO and CISO. Not every CEO and CISO know how to, or even like to, talk to each other – they don't share the same language and might define what constitutes a breach very differently. And to some degree there is a fear factor: where some CISOs believe if they disclose every issue they run into, they will lose their jobs. Effective communication and shared definitions are needed to drive a mindset change where security risk management becomes part of the business plan," said Gergana Kiryakova, industry director cyber security for Unisys, Australia and New Zealand.
The research reveals a consistent theme of cyber security over-confidence among CEOs:
- Just 6 percent of CEOs say their organizations have suffered a data breach in the last 12 months, compared to 63 percent of CISOs;
- More than four in 10 (44 percent) CEOs believe their organizations can respond to cyber threats in real time, whereas just 26 percent of CISOs agree; and
- More than half (51 percent) of CEOs believe their organizations' data collection policies are clear to consumers or citizens, yet only 26 percent of CISOs agree.
"As enterprises digitize core functions the type and volume of data collected, stored and used grows significantly. And the reality is that data breaches are inevitable. Organizations must take a proactive approach to securely manage their data and identify and isolate threats before they impact business continuity, partners, customers or citizens. If business leaders don't incorporate cyber security into their overall risk framework, they can't respond effectively to threats across the supply chain ecosystem, or capitalize on emerging opportunities in the data economy," added Kiryakova.
Unisys recommends a security approach that spans six key pillars to protect critical digital assets and change cyber security culture within the business. They are:
- Technology – establish a zero trust environment where the default is always to verify permission, from both within and outside of the IT environment;
- Human behaviour – utilize user and entity behaviour analytics to identify risky data practices or activities;
- Education – introduce a 'whole of organization' approach to cyber security education from the top down. Use this as an opportunity to discuss cyber security's value to the business;
- Eco-system roles and responsibilities – create a layered environment where the focus is to predict, protect, detect and respond to potential threats;
- Privacy – ensure a culture of responsibility where all employees responsible for collecting, or with access to sensitive data (including executive leaders) understand compliance requirements;
- Policy – clearly define secure data management expectations with all employees, suppliers and partners. Incorporate cyber security into the overall business risk framework.
The survey was conducted by Pure Profile during September 2019, surveying 88 CEOs and 54 CISOs from Australia's private and public sectors. Reflecting the Australian business landscape, 90 percent of responses were from organizations with less than 200 employees.