Is the C-Suite a Cyber Threat?
CEOs are in danger of being penny-wise and pound-foolish when it comes to cybersecurity.
By Derrick Lilly | Summer 2018
There’s a new frontline in the cyber war — it’s within our own
companies. “A disconnect about cybersecurity is causing
tension among leaders in the C-suite — and may be leaving
companies vulnerable to breaches as a result,” states a
new report from security firm Centrify and Dow Jones
Customer Intelligence.
In “CEO Disconnect is Weakening Cybersecurity,” CEOs are
called out by fellow C-suite technical officers (TOs) —
including CIOs, CTOs, CISOs, and even CFOs — for being
“misinformed about security” and “misaligned with reality.”
The sharp-tongued criticism has survey data to back it: Only
55 percent of CEOs say their organization has experienced
any breach, compared to 79 percent of CTOs. Further, 60
percent of CEOs are investing most in malware protection
even though most (81 percent) breaches exploit identity. In
fact, only 35 percent of TOs cite malware as a primary threat.
Instead, TOs “point to identity breaches — including
privileged user identity attacks and default, stolen or weak
passwords — as the biggest threat,” the report states in
revealing that while all respondents understand that identity
breaches present a real danger, CEOs are much less inclined
to give them prominence.
In short, CEOs are setting their own security strategies,
driven in part, according to a survey of 800 senior executives,
by sensational headlines about malware breaches in
2017 — like those about the cyberworm Wannacry that
hobbled computers running Microsoft systems — and other
faulty assumptions.
As a result, CEOs seem more focused on reducing the cost
of a breach (55 percent) and protecting shareholder value (45
percent) rather than heeding the words of their TOs and CFOs
and directing adequate budgets towards addressing the
technical risks and challenges that threaten businesses today.
“While bottom-line considerations fall to them [CEOs], they are
in danger of being penny-wise and pound-foolish if they fail to
consider the impact of reputational damage,” the report says.
Worsening the situation is poor communication between
CEOs and TOs, and a gaping disconnect over who is truly in
charge of cybersecurity. The report reveals that 81 percent of
CEOs say they are most accountable for their company’s
cybersecurity strategy — only 16 percent of TOs agree. Rather,
78 percent of TOs say they are most accountable, and 56
percent of CFOs agree with them.
“The disconnect between CEOs and TOs is resulting in
misaligned priorities and strategies, as well as misinvestments
in cybersecurity solutions, which are weakening security,” the
report states. “The status quo is not working. Business leaders
need to bridge the communications chasm with their TOs
and rethink security with a focus on identity and privileged
access. To continue to do otherwise risks exposure to a
preventable crisis.”