Data privacy, current cyberthreats, and cybersecurity culture and training top the list, but are these the right priorities?

Industry rhetoric suggests that cybersecurity is an important topic in corporate boardrooms and C-suites, but according to a recent ESG survey, this is only partly true. While 58% of senior cybersecurity and business managers say that their organizationโs C-level executivesโ commitment and buy-in to cybersecurity is โvery good,โ the remaining 42% say that their organizationโs C-level executivesโ commitment and buy-in to cybersecurity is โadequate, fair, or poor.โ
Not so good.
Survey respondents were also asked which cybersecurity topics were most important to the executive team. Here are the results and a bit of analysis:
- Data privacy. Data privacy topped the list at 35%, and this makes sense given regulations like GDPR and CCPA. In the past, data privacy was handled by legal teams, but with the onset and growth of regulations, CISOs have been asked to operationalize data privacy. In other words, security teams are responsible for things like data discovery, the introduction of new data security controls, and coordination around technologies for data deletion. GDPR also comes with the potential for hefty fines, so executives are paying close attention. Given that GDPR came out of the EU, it is not surprising that 39% of European organizations viewed data privacy as a high priority, compared to 33% of North American firms, according to ESGโs research.
- Current cyberthreats. Nearly one-third (32%) of business and cybersecurity executives believe that executives want to know about current cyberthreats, and it is worth noting that this research was conducted before the SolarWinds hack. To be clear, CEOs have no interest in details like indicators of compromise or MITRE ATT&CK framework tactics/techniques, but they do want details about whatโs happening in general, whatโs happening in their industry, whether their organization is vulnerable, and, if so, whatโs needed for risk mitigation. Many CISOs I spoke to in this research project create cyberthreat reports proactively for executives and corporate boardsโespecially after a noteworthy publicly-disclosed data breach.
- Cybersecurity culture and training. This was a priority for 29% of organizations, but that doesnโt tell the whole story. As part of this research project, ESG created a scoring system that divided organizations into two categories: โGood securityโ organizations that emphasized cybersecurity within the business, and โgood enough securityโ organizations that minimized their commitment to cybersecurity. Using this segmentation model, 39% of โgood securityโ organizations prioritize cybersecurity culture and training, compared to 24% of โgood enough securityโ firms. This difference is really a microcosm of cybersecurity today. โGood securityโ organizations are built with a cybersecurity culture as a foundation. Consequently, they are more secure down to the people and process levels. They also tend to accel in areas like business agility and IT resilience. โGood enough securityโ organizations still think of cybersecurity in terms of technology and compliance. They cover the basicsโsame as they did when PCI DSS was introduced in 2006.
While these were the top three priorities, itโs also worth examining others that were further down the list. For example, only 23% of organization said that, โalignment of security with key business initiativesโ was an important topic for executives. Wow, really? This truly illustrates a cybersecurity disconnect at many organizations, but in this case, the blame really lives with IT and cybersecurity executivesโonly 19% of technologists said this was a business executive priority, compared to 29% of business executives. So, business managers want this information while technologists are somewhat oblivious to their needs. Cybersecurity ships passing in the night.
Similarly, only 21% of respondents believe that third-party risk management and/or vendor risk management was an important executive topic. Even before SolarWinds, there was Target, OPM, and the NotPetya-based attacks on Ukraine, Maersk, etc., so youโd think executives would want some guidance in this area.
Based upon my analysis of the data, it seems like many business and cybersecurity executives still havenโt figured out whatโs most important and how to communicate effectively with one another. This gap leads them to focus on obvious and easy topics rather than the cybersecurity priorities that align with the business mission and objectives.
The research does indicate that some (about 33%) of organizations have figured things out, with cybersecurity truly integrated into the business. What are these firms doing? More on that soon.