Despite the increasing prominence of cybersecurity risk among organisations’ priorities, many senior leaders believe their cybersecurity chiefs are failing to accurately articulate levels of risk, indicating a lack of trust between executives and security teams that could ultimately leave organisations vulnerable to attack.
In the study, CISO Redefined: Navigating C-Suite Perceptions & Expectations CISO, 93% of UK [and Irish] leaders surveyed see cybersecurity as a top priority for their organisation driven by concerns over potential revenue loss, regulatory compliance, and loss of customer trust, with over 80% of organisations seeing increased demands to demonstrate cyber readiness and preparedness. In light of this, the vast majority (81%) of UK organisations are increasing the decision-making powers of their Chief Information Security Officer (“CISO”). However, there is evidence of a disconnect between senior leaders and security teams around cybersecurity risk, with the perception among one in three executives that the CISO is making things sound better than they are.
“As organisations navigate a regulatory and business environment that is pushing for greater board and leadership oversight of cybersecurity, robust engagement between senior leaders and CISOs will be essential to satisfy stakeholders that cybersecurity risk is being addressed at the top level of the organisation,” said Kate Brader, Head of Crisis in the Strategic Communications segment at FTI Consulting. “Regular cybersecurity briefings, clear roles and procedures around incident response, together with robust testing of response plans can all help to build trust and confidence across the C-suite and cybersecurity teams.”
The study’s findings highlight the challenges organisations face, as various frameworks seek to standardise management of cybersecurity risk. The UK’s draft cybersecurity governance code signals the top-down approach to cybersecurity that the government wants to see, while the US National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework was recently updated to include a governance function, which stipulates how cybersecurity should be integrated into an organisation’s broader risk management strategy. Organisational alignment on cybersecurity risk is becoming an imperative and will therefore require strong engagement between the CISO and senior leadership teams.
“Our study highlights the ongoing challenges for CISOs as they evolve from technical gatekeeper to holding greater responsibility for overall organisational risk and resilience,” said Orla Cox, Head of Cybersecurity Communications for EMEA in the Strategic Communications segment at FTI Consulting. “This wider remit means that an effective CISO must build trust across business leaders, senior leaders and the board, and prioritise refining their communication skills as much as their technical skills.”
Additional key findings from the survey include:
The vast majority of leaders believe that their CISOs require communications training, with more than half (53%) flagging this as an immediate priority.
Pressure on CISOs to demonstrate a return on investment is likely to increase with more than 86% of organisations having increased their cybersecurity budget in the past 12 months.
In contrast to the rest of the world, UK leaders were revealed as feeling the greatest pressure on cybersecurity from regulators, followed by customers and then investors.