C-Suite Involvement in Cybersecurity Is Little More Than Lip Service

COMMENTARY

No organization is immune to today's looming cybersecurity threats. Whether a large enterprise or a small business, building proactive defenses is critical to day-to-day functions. It's just as essential to manage cyber-risks as it is to manage other business risks, since successful attackers have the power to financially cripple businesses, damage reputation, and affect continuity.

Amid today's rising threats — from ransomware and data breaches to the impact of geopolitical and nation-state threats — true cyber preparedness requires the right internal collaboration and tools to bolster business resilience. The responsibility for managing cyber-risk is a collective effort, and everyone plays a role — especially the C-suite.

A new report from ExtraHop found that while four in 10 US organizations look to their executive management team to help assess their cyber-risk exposure, only one-fifth feel there is a high level of involvement and commitment from the C-suite. This raises the question: Are industrywide claims of cybersecurity as a board-level discussion little more than lip service to stakeholders?

Lessons Learned From Previous Attacks

This information illustrates a worrying trend, especially as regulators are holding the C-suite accountable for data breaches. We saw this in action as the SEC charged SolarWinds' chief information security officer (CISO) with fraud and internal control failures following a two-year-long cyberattack. And the recent hearings on the Change Healthcare ransomware attack also exposed the burden placed on the CEO role, setting a precedent for these leaders to be questioned in-depth by the senate on wide-reaching cyber incidents. 

Taking what we've learned from infamous, large-scale attacks and the resulting fallout, we can justify the real problem affecting major companies, the C-suite and board, and security teams: overconfidence. The report found that a vast majority of IT decision-makers (88%) feel confident about their organization's ability to manage cyber-risk. Yet, the findings show that this isn't the case — many are ill-prepared to do so, and there's a lack of direction and attention from the C-suite, which is contributing to the problem. 

Take ransomware, for example: Despite their confidence, more than half (58%) of respondents experienced more than six ransomware incidents in the past year alone, while 40% experienced 10 or more. To highlight the points of failure, 51% claim more than half of their organization's cyber incidents are related to poor cyber hygiene. Half of all organizations surveyed admitted to running at least one insecure network protocol that threat actors are known to exploit. A lack of preparedness and ability to reveal cyber-risk can play a significant role in the ransomware uptick we're seeing globally.

Cyber Preparedness Calls for Better Internal Alignment

In the same report, 15% of respondents cited a lack of alignment between the business and cybersecurity as the most significant barrier to managing risk, reflected in nearly a quarter of respondents indicating that they'd need a 26% to 50% increase in budget to mitigate threats effectively.

The disconnect between business plans and cybersecurity needs suggests that organizations must take cybersecurity more seriously. Leadership involvement is critical when it comes to meeting regulatory requirements, and prioritizing cyber-risk management across the leadership bench helps security and IT teams make better decisions and provide direction during an incident. Making cybersecurity a core company value, where the C-suite prioritizes time and investments in security solutions, is crucial.

Making cyber-risk management a staple topic during planning meetings and within the boardroom affirms alignment across the organization. It also ensures that cybersecurity fits into all strategic initiatives. At a basic level, this means establishing better cyber hygiene across all employees, security solutions, and workflows. The C-suite must lead by example and provide the resources and training necessary for all employees — not just security and IT teams — to understand their own personal security's impact on the organization.

As it comes to investing in tools, C-suites should allow a budget for various methods to assess cyber-risk and ensure all stakeholders are involved. These include tools such as penetration testing, red-team exercises, and threat modeling assessments. In addition, having full network visibility can help detect and stop attacks in the early stages — long before threat actors can achieve their objectives and cause harm to an organization.

Successful Integration of Cybersecurity in Executive Strategies

So, what happens when cybersecurity becomes a key component of the C-suite and board's day-to-day priorities? Several organizations have demonstrated exemplary integration of cybersecurity into their executive strategies, setting benchmarks for others to follow. One notable example is JPMorgan Chase, which significantly bolstered its cybersecurity defenses following high-profile breaches in the financial sector. The company's CEO, Jamie Dimon, took a proactive stance by prioritizing cybersecurity as a core business concern. JPMorgan Chase invested more than $600 million annually in cybersecurity, employed more than 3,000 IT security professionals, and established a dedicated cybersecurity operations center. This comprehensive approach, driven by top-level leadership, ensured robust protection against evolving threats and underscored the critical importance of executive involvement in cybersecurity.

Another example is Equifax, which undertook a significant transformation following its 2017 data breach. The company appointed a new CEO, Mark Begor, who prioritized cybersecurity as a top business imperative. Under his leadership, Equifax invested $1.5 billion in overhauling its cybersecurity infrastructure, including the adoption of advanced security technologies and the creation of a new chief information security officer (CISO) role. This strategic investment and executive commitment not only enhanced Equifax's security posture but also restored trust with stakeholders and positioned the company as a leader in cybersecurity resilience.

No organization wants to be the next Change Healthcare or SolarWinds. As an industry, the C-suite and organizational leaders hold the power when it comes to establishing companywide precautionary measures and defenses. Collaboration with security teams, making cybersecurity a core principle of business strategy, and investing in defenses ultimately better positions organizations to thwart threats and ensure business continuity.