Tierney - stock.adobe.com
More than three-quarters (76%) of C-level executives believe a cyber security breach is inevitable, according to a survey by Nominet, which is responsible for the .UK domain name and launched a cyber security division in December 2018.
Despite this, the majority (90%) of more than 400 executives polled in the UK and US believe their company is missing at least one resource that would help them defend against a severe cyber attack, with the most common missing component being advanced technology (59%).
However, the report entitled Trouble at the top: The boardroom battle for cyber supremacy reveals that the problem is much deeper.
There are more human factors at play, the report said, with senior management reluctant to accept advice (46%), a lack of budget (44%), and a lack of people resources (41%), which are all considered to be major components of an effective cyber security strategy.
There is also confusion at board level about who is ultimately responsible for the immediate response to a data breach, the survey reveals. More than a third (35%) of those surveyed believe that the CEO is in charge of the response to a data breach, with a little less than a third (32%) saying it is down to the CISO.
Despite this, the majority (71%) of the C-suite concede that they have gaps in their knowledge when it comes to some of the main cyber threats facing businesses today. This includes malware (78%), despite the fact that 70% of businesses admit they have found malware hidden on their networks for an unknown period of time.
When a security breach does happen, in the majority of businesses surveyed, it is first reported to the security team (70%) or the executive/senior management team (61%). In less than half of cases is it reported to the board (40%).
This is unsurprising, the report said, in light of the fact that one-third of CEOs state that they would terminate the contract of those responsible for a data breach.
The report also reveals the only half of CISOs say they feel valued by the rest of the executive team from a revenue and brand protection standpoint, while nearly a fifth (18%) of more than 400 CISOs questioned in a separate poll say they believe the board is indifferent to the security team or actually sees them as an inconvenience.
However, the survey shows support for the CISOs is higher than they realise. CISOs perceive that just 52% of their board of directors sees them as a “must have”, but the reality is that three-quarters (76%) of C-level executives feel that way.
While this may be the case, the report said the feeling of not being valued is having a damaging effect on the CISO. More than a quarter (27%) said the stress of their job is affecting their physical or mental health.
Nearly a quarter (23%) admitted that the job had also affected their personal relationships, while 28% of CISOs also admit that stress levels are having an adverse effect on their ability to do their job.
“This research is very much a case of the good, the bad and the ugly. It’s good to see that business leaders are aligned on the fact that cyber attacks are pretty much an inevitable part of working life. Acceptance is the first step to protection. There’s also a dedication to keeping customer and client data safe,” said Russell Haworth, CEO of Nominet.
“But the bad comes with the power struggle at the top, with confusion over who should actually take responsibility in case of a data breach or cyber attack, which is detrimental to the safety and security of the business.
“And the ugly is how CISOs feel within their organisation. There’s a clear disconnect between how valued they feel and how valued they actually are. Whether that’s CISOs misunderstanding how important they are, or the board failing to communicate this to them, I’m unclear.
“What is abundantly obvious though is that there’s still a lot of work to be done. Boards and CISOs need to sit down and agree on exactly what the responsibility of the CISO is, and exactly who’s in charge of the business’s response to the pervasive cyber threat.”
Read more about cyber security and the business
- UK businesses are failing to get value out of cyber security because they fail to see its strategic importance and often have a negative attitude towards security professionals, a study has revealed
- Audit, risk and security teams need to be equipped with the skills to communicate to their business’s teams in a way that enables them to better appreciate the priorities of the business and where these can be supported by security.
- Throughout the information lifecycle, the security, privacy, and regulatory aspects of data management have driven many existing data governance programs.