The most important cybersecurity topics for business executives

Industry rhetoric suggests that cybersecurity is an important topic in corporate boardrooms and C-suites, but according to a recent ESG survey, this is only partly true.  While 58% of senior cybersecurity and business managers say that their organization’s C-level executives’ commitment and buy-in to cybersecurity is “very good,” the remaining 42% say that their organization’s C-level executives’ commitment and buy-in to cybersecurity is “adequate, fair, or poor.”

Not so good.

Survey respondents were also asked which cybersecurity topics were most important to the executive team.  Here are the results and a bit of analysis:

• Data privacy. Data privacy topped the list at 35%, and this makes sense given regulations like GDPR and CCPA.  In the past, data privacy was handled by legal teams, but with the onset and growth of regulations, CISOs have been asked to operationalize data privacy.  In other words, security teams are responsible for things like data discovery, the introduction of new data security controls, and coordination around technologies for data deletion.  GDPR also comes with the potential for hefty fines, so executives are paying close attention.  Given that GDPR came out of the EU, it is not surprising that 39% of European organizations viewed data privacy as a high priority, compared to 33% of North American firms, according to ESG’s research. 
• Current cyberthreats. Nearly one-third (32%) of business and cybersecurity executives believe that executives want to know about current cyberthreats, and it is worth noting that this research was conducted before the SolarWinds hack.  To be clear, CEOs have no interest in details like indicators of compromise or MITRE ATT&CK framework tactics/techniques, but they do want details about what’s happening in general, what’s happening in their industry, whether their organization is vulnerable, and, if so, what’s needed for risk mitigation.  Many CISOs I spoke to in this research project create cyberthreat reports proactively for executives and corporate boards—especially after a noteworthy publicly-disclosed data breach.
• Cybersecurity culture and training. This was a priority for 29% of organizations, but that doesn’t tell the whole story.  As part of this research project, ESG created a scoring system that divided organizations into two categories: “Good security” organizations that emphasized cybersecurity within the business, and “good enough security” organizations that minimized their commitment to cybersecurity.  Using this segmentation model, 39% of “good security” organizations prioritize cybersecurity culture and training, compared to 24% of “good enough security” firms.  This difference is really a microcosm of cybersecurity today.  “Good security” organizations are built with a cybersecurity culture as a foundation.  Consequently, they are more secure down to the people and process levels.  They also tend to accel in areas like business agility and IT resilience.  “Good enough security” organizations still think of cybersecurity in terms of technology and compliance.  They cover the basics—same as they did when PCI DSS was introduced in 2006.

While these were the top three priorities, it’s also worth examining others that were further down the list.  For example, only 23% of organization said that, “alignment of security with key business initiatives” was an important topic for executives.  Wow, really?  This truly illustrates a cybersecurity disconnect at many organizations, but in this case, the blame really lives with IT and cybersecurity executives—only 19% of technologists said this was a business executive priority, compared to 29% of business executives.  So, business managers want this information while technologists are somewhat oblivious to their needs.  Cybersecurity ships passing in the night. 

Similarly, only 21% of respondents believe that third-party risk management and/or vendor risk management was an important executive topic.  Even before SolarWinds, there was Target, OPM, and the NotPetya-based attacks on Ukraine, Maersk, etc., so you’d think executives would want some guidance in this area. 

Based upon my analysis of the data, it seems like many business and cybersecurity executives still haven’t figured out what’s most important and how to communicate effectively with one another.  This gap leads them to focus on obvious and easy topics rather than the cybersecurity priorities that align with the business mission and objectives. 

The research does indicate that some (about 33%) of organizations have figured things out, with cybersecurity truly integrated into the business.  What are these firms doing?  More on that soon.