Americas

  • United States

Asia

Oceania

Jon Oltsik
Contributing Writer

The most important cybersecurity topics for business executives

Opinion
Feb 10, 20214 mins
CyberattacksCybercrimeRegulation

Data privacy, current cyberthreats, and cybersecurity culture and training top the list, but are these the right priorities?

high priority gauge
Credit: Thinkstock

Industry rhetoric suggests that cybersecurity is an important topic in corporate boardrooms and C-suites, but according to a recent ESG survey, this is only partly true.  While 58% of senior cybersecurity and business managers say that their organizationโ€™s C-level executivesโ€™ commitment and buy-in to cybersecurity is โ€œvery good,โ€ the remaining 42% say that their organizationโ€™s C-level executivesโ€™ commitment and buy-in to cybersecurity is โ€œadequate, fair, or poor.โ€

Not so good.

Survey respondents were also asked which cybersecurity topics were most important to the executive team.  Here are the results and a bit of analysis:

  • Data privacy. Data privacy topped the list at 35%, and this makes sense given regulations like GDPR and CCPA.  In the past, data privacy was handled by legal teams, but with the onset and growth of regulations, CISOs have been asked to operationalize data privacy.  In other words, security teams are responsible for things like data discovery, the introduction of new data security controls, and coordination around technologies for data deletion.  GDPR also comes with the potential for hefty fines, so executives are paying close attention.  Given that GDPR came out of the EU, it is not surprising that 39% of European organizations viewed data privacy as a high priority, compared to 33% of North American firms, according to ESGโ€™s research. 
  • Current cyberthreats. Nearly one-third (32%) of business and cybersecurity executives believe that executives want to know about current cyberthreats, and it is worth noting that this research was conducted before the SolarWinds hack.  To be clear, CEOs have no interest in details like indicators of compromise or MITRE ATT&CK framework tactics/techniques, but they do want details about whatโ€™s happening in general, whatโ€™s happening in their industry, whether their organization is vulnerable, and, if so, whatโ€™s needed for risk mitigation.  Many CISOs I spoke to in this research project create cyberthreat reports proactively for executives and corporate boardsโ€”especially after a noteworthy publicly-disclosed data breach.
  • Cybersecurity culture and training. This was a priority for 29% of organizations, but that doesnโ€™t tell the whole story.  As part of this research project, ESG created a scoring system that divided organizations into two categories: โ€œGood securityโ€ organizations that emphasized cybersecurity within the business, and โ€œgood enough securityโ€ organizations that minimized their commitment to cybersecurity.  Using this segmentation model, 39% of โ€œgood securityโ€ organizations prioritize cybersecurity culture and training, compared to 24% of โ€œgood enough securityโ€ firms.  This difference is really a microcosm of cybersecurity today.  โ€œGood securityโ€ organizations are built with a cybersecurity culture as a foundation.  Consequently, they are more secure down to the people and process levels.  They also tend to accel in areas like business agility and IT resilience.  โ€œGood enough securityโ€ organizations still think of cybersecurity in terms of technology and compliance.  They cover the basicsโ€”same as they did when PCI DSS was introduced in 2006.

While these were the top three priorities, itโ€™s also worth examining others that were further down the list.  For example, only 23% of organization said that, โ€œalignment of security with key business initiativesโ€ was an important topic for executives.  Wow, really?  This truly illustrates a cybersecurity disconnect at many organizations, but in this case, the blame really lives with IT and cybersecurity executivesโ€”only 19% of technologists said this was a business executive priority, compared to 29% of business executives.  So, business managers want this information while technologists are somewhat oblivious to their needs.  Cybersecurity ships passing in the night. 

Similarly, only 21% of respondents believe that third-party risk management and/or vendor risk management was an important executive topic.  Even before SolarWinds, there was Target, OPM, and the NotPetya-based attacks on Ukraine, Maersk, etc., so youโ€™d think executives would want some guidance in this area. 

Based upon my analysis of the data, it seems like many business and cybersecurity executives still havenโ€™t figured out whatโ€™s most important and how to communicate effectively with one another.  This gap leads them to focus on obvious and easy topics rather than the cybersecurity priorities that align with the business mission and objectives. 

The research does indicate that some (about 33%) of organizations have figured things out, with cybersecurity truly integrated into the business.  What are these firms doing?  More on that soon.