Aligning security with business objectives should be a top priority, but that is not always the case for many organizations. According to research, 93% of security leaders do not report to the CEO, yet 60% say they should to provide a more accurate understanding of security risks facing the organization.
It pegs the question, how exactly do security leaders influence decisions across the enterprise? Is security leadership and the C-suite truly aligned with common goals, or are there gaps that result in more risk to the organization? LogRhythm partnered with Ponemon Institute to dig deeper and research the role and responsibilities of today’s cybersecurity leaders and the challenges they face in creating a strong security posture.
In the study, Security and the C-Suite: Making Security Priorities Business Priorities, we surveyed over 1400 cybersecurity professionals globally and discovered key statistics that may surprise you, or you may relate to. Let’s dive into some top highlights from the research and explore tips for aligning security with business objectives based on the findings.
The Majority of Organizations are Experiencing Cyberattacks
It’s not surprising that more than 60% of respondents say their organization had a cyberattack in the past two years. The expanding attack surface caused by digital transformation, cloud migration, and remote working, are well-known concerns for IT security leaders; however, is the board truly on the same page about the potential threats that the business faces?
Research suggests a whopping 63% of respondents say, “they are not briefing the board of directors on risks, such as those created by remote working and what is being done to prevent and detect security incidents.”
Not to mention, of the “37% of respondents who say they do report to the board, 41% of these respondents say briefings only happen following a security incident.”
Security cannot be an afterthought. This reactive versus proactive approach leaves more opportunities for vulnerabilities. If a breach were to occur, the organization could potentially face compliance violations, lawsuits, loss of intellectual property, decreased brand loyalty, a decline in customer trust, and more. These are all consequences that could affect business operations and revenue for years to come.
Tip #1: Effectively Communicate with the Board
To truly protect the organization, there needs to be clear and persistent communication with the board. Security leaders must speak in terms of risk to the business and build relationships with executives to gain board-level support for their security operations center (SOC).
Understanding your audience is important when pitching ideas or requests to executive leadership. Make sure to avoid overwhelming amounts of technical jargon because you may lose their attention. When stating your case, be realistic about the threats the business faces, but also avoid fear mongering as this is a negative approach to getting the board to approve any kind of budget, process or operational changes, and new security strategies that may impact the business.
Security and the C-Suite are Not Always Aligned
According to the research, less than half of respondents say executives have confidence that the cybersecurity leader understands the business goals. Also, only 43% of respondents say their organization effectively leverages the expertise of cybersecurity leaders. These statistics suggest there is a misalignment between security leaders and company executives.
Recognizing this challenge, security leaders across the globe are acknowledging the need to become business enablers:
“The role of the CISO has evolved dramatically. As a CISO, you definitely have to know your business and all things that affect it, both internally and externally.” – Dilip Singh, Vice President Cyber Operations, Sedara
Tip #2: Know the Business
Security leaders need to have a comprehensive knowledge of how the business operates and the board’s top priorities. As this study suggests, it’s critical to ensure security policies are adequate to support business objectives. Security leaders can take initiative by joining business planning meetings to keep on top of any changes and better understand how to apply security to these routine conversations.
Most Organizations Require C-level Approval for Incident Response Plans
We covered that most organizations are experiencing attacks in today’s threat landscape, but how are security leaders and business executives working together to come up with incident response plans? According to the study, 83% say it is required for the C-level to approve these types of plans. This makes a lot of sense considering any breach can be highly costly to the business and needs to be addressed carefully for compliance reasons, as well as protecting customers, employees, and all sensitive data as much as possible.
What’s surprising is that many organizations do not have routine structures for updating the response plans. When asked, “How often does your organization update the incident response plan?”, research revealed that 58% said there is no set period for reviewing and updating the plan.
On top of that, the contents of response plans have major gaps when addressing cybersecurity threats that the average business faces. For example:
- Less than half (49%) say they cover destructive malware such as ransomware in the plan
- Only 25% of respondents say there is guidance on managing attacks by hackers
- Only 30% say the plan covers IoT-based attacks
Incomplete plans could be another contributing factor to the loss in understanding between security and the business. According to the study, ransomware is one of the top three cybersecurity risks that affect the business, yet many organizations do not get board approval for an incident response plan for this type of attack.
In 2021, we have witnessed how ransomware can have a crippling effect on the business, resulting in far-reaching impacts to the economy. Recent ransomware attacks that reached national headlines, such as the water treatment plant incident in Florida and the Colonial Pipeline attack, are just a couple of examples. Executives need to be on the same page about how the business will handle and respond to these different compromises, before a breach occurs.
Tip #3: Security Leaders Must Work with the Board to Develop Effective Response Plans
The attack surface is evolving, and the cybersecurity industry deals with constant change. Incident response plans must be revisited with executives and updated to fit the current security climate. As the study suggests, “IT security leaders should have put an effective incident response and disaster recovery plan in place and assure that the CEO and board of directors understand the level of preparedness.”
This will help ensure more collaborative decision making between security and the C-suite, as well as foster conversations that improve general security awareness to the board.
Read the Complete Research Study
Aligning security with business objectives is a long-term process that requires a lot of open communication and relationship building with the board. It’s critical that security leaders and the C-suite collaborate to better understand the risks to the business so that they can determine what priorities, goals, and objectives will help the organization be security first.
All statistics stated in this blog originate from the research study, Security and the C-Suite: Making Security Priorities Business Priorities. To gain more insight on how to elevate the importance of the IT security leader, download this comprehensive report – it’s worth a read!