Cybersecurity is a priority for enterprise executives and their boards, but a serious disconnect also exists in the C-suite on what the risk priorities should be and why, according to recent research. Some of the gap can be attributed to the day-to-day focus of different executive functions, but much of it goes far deeper into problems with culture and communication.
When consulting firm Protiviti and the Enterprise Risk Management (ERM) Initiative at the North Carolina University Poole College of Management recently conducted the third annual survey of business executives for “Executive Perspectives on Top Risks for 2015,” and examined the ranking of 27 risks by job function, they found that CFOs and chief audit executives (CAEs) perceived a riskier business environment than CEOs and the board. And CEOs and board members each had their own focus on the types of risks they perceived as most important.
Protiviti examined the relationship between the job functions of the executives it surveyed and whether they ranked macroeconomic, strategic or operational risks as of highest concern, and a pattern emerged. Board of directors members collectively named four strategic risks among their top five concerns, along with one macroeconomic issue; CEOs collectively named four macroeconomic risks among their top five, along with one strategic risk. And other executives named more operational risks to their top five lists.
In addition, says Mark Beasley, Deloitte Professor of ERM and director of the North Carolina ERM Initiative, “boards and CEOs rank many more risks as less important overall. That is part of the disconnect. The board and the CEO see things much more positively. This all begs for robust, explicit conversations about risk in the C-suite. Everyone is not on the same page. Having different perspectives is helpful, but not talking about it is not helpful. Everyone has a different list.”
The roots of the disconnect reach beyond job titles into the larger business culture, as well. Jim DeLoach, Protiviti managing director, points to close relationships among a number of the top 10 risks: organizational culture that does not encourage timely identification and escalation of risk issues, resistance to change, and lack of preparedness to manage an unexpected crisis.
“One thing that has occurred over the last several years is that it has become evident in the C-suite and the boardroom that ‘stuff happens,’” says DeLoach. “A crisis can impact even the product brand. Our take was that smaller organizations see more need to invest, more need to pay attention, while bigger organizations have been well aware of the phenomenon for some time, and of the need for upgrading processes, and the need for a world-class response. The investor community expects management will be adept in managing that process, as well as the day-to-day processes.”
When Does Cybersecurity Become Strategic?
When over 1,000 cybersecurity CIOs, CISOs and senior IT leaders were surveyed for the 2015 Global Megatrends in Cybersecurity report, sponsored by Raytheon and conducted by Ponemon, the results showed that 66 percent of the respondents don’t perceive cybersecurity as a strategic priority.
Even worse, 78 percent of respondents said that their board of directors had not had a cybersecurity strategy briefing in the last 12 months. The disconnect is preventing these companies from addressing growing cybersecurity threats, says Michael Daly, CTO for cybersecurity and special missions at Raytheon.
“Twenty-two percent of boards of directors had a cyber briefing in the last year, but only 21 percent requested one,” Daly further explained. “Boards of directors are not asking for reports, and officers are not pushing them.”
To close the disconnect, says Daly, CIOs and CISOs can change the way they communicate with the board about why cybersecurity is a strategic risk – and potentially a competitive advantage.
To get everyone on the same page, Daly suggests, “focus on a limited set of metrics. Metrics that CISOs use don’t mean much, like blocking viruses. Alone, it’s hard to know if that’s a bad thing or a good thing. Instead, use what we call ‘dwell time.’ That is, the amount of time that a bad guy is able to use our computer. The reality is that it’s going to happen, but IT needs to block outbound traffic, so that the bad guy didn’t get to use malware. Then, everyone can look for a trend downward in dwell time. Other metrics to follow are training and reporting to the help desk. Basically, one metric is useful for the board: How long were we at risk?”
Raytheon’s research shows that though only 25 percent of respondents believe their organization’s C-level executives view security as a competitive advantage, 59 percent say those execs will see the competitive advantage three years from now.
Another bright spot: Beasley says that his research shows that all industries will be investing more across the board in risk oversight.
“What I’m hearing is concern about the environment of support to identify and escalate risk. I’m observing a little bit of reluctance to invest in structured risk processes, so maybe companies need to put more emphasis on that. But we are seeing an increase in likelihood in investing in more general processes,” Beasley said.
Addressing the disconnect on where to place risk priorities, says DeLoach, is “one of the most fascinating aspects of the study. My experience has shown me that you have a significant issue if you have a disconnect between the middle and the top of the organization. Looking back, it’s always 20/20, and you see that the issue was well known on the frontlines, but the C-suite was not looking at it, the board was not looking at it. The challenge is crossing that chasm, and facilitating upward communication. Risk assessment, to be high quality, needs myriad perspectives across the organization, from various disciplines, to capture and understand effective risk assessment.”
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+