C-Suite Involvement in Cybersecurity Is Little More Than Lip Service

Collaboration with security teams, making cybersecurity a core principle of business strategy, and investing in defenses better position organizations to thwart threats and ensure business continuity.

Raja Mukerji, Co-Founder & Chief Scientist, ExtraHop

August 23, 2024

5 Min Read
"C-SUITE" in white on a black background, with red in lower right corner; "C-SUITE" is at an angle
Source: Iulian Dragomir via Alamy Stock Photo

COMMENTARY

No organization is immune to today's looming cybersecurity threats. Whether a large enterprise or a small business, building proactive defenses is critical to day-to-day functions. It's just as essential to manage cyber-risks as it is to manage other business risks, since successful attackers have the power to financially cripple businesses, damage reputation, and affect continuity.

Amid today's rising threats — from ransomware and data breaches to the impact of geopolitical and nation-state threats — true cyber preparedness requires the right internal collaboration and tools to bolster business resilience. The responsibility for managing cyber-risk is a collective effort, and everyone plays a role — especially the C-suite.

A new report from ExtraHop found that while four in 10 US organizations look to their executive management team to help assess their cyber-risk exposure, only one-fifth feel there is a high level of involvement and commitment from the C-suite. This raises the question: Are industrywide claims of cybersecurity as a board-level discussion little more than lip service to stakeholders?

Lessons Learned From Previous Attacks

This information illustrates a worrying trend, especially as regulators are holding the C-suite accountable for data breaches. We saw this in action as the SEC charged SolarWinds' chief information security officer (CISO) with fraud and internal control failures following a two-year-long cyberattack. And the recent hearings on the Change Healthcare ransomware attack also exposed the burden placed on the CEO role, setting a precedent for these leaders to be questioned in-depth by the senate on wide-reaching cyber incidents. 

Taking what we've learned from infamous, large-scale attacks and the resulting fallout, we can justify the real problem affecting major companies, the C-suite and board, and security teams: overconfidence. The report found that a vast majority of IT decision-makers (88%) feel confident about their organization's ability to manage cyber-risk. Yet, the findings show that this isn't the case — many are ill-prepared to do so, and there's a lack of direction and attention from the C-suite, which is contributing to the problem. 

Take ransomware, for example: Despite their confidence, more than half (58%) of respondents experienced more than six ransomware incidents in the past year alone, while 40% experienced 10 or more. To highlight the points of failure, 51% claim more than half of their organization's cyber incidents are related to poor cyber hygiene. Half of all organizations surveyed admitted to running at least one insecure network protocol that threat actors are known to exploit. A lack of preparedness and ability to reveal cyber-risk can play a significant role in the ransomware uptick we're seeing globally.

Cyber Preparedness Calls for Better Internal Alignment

In the same report, 15% of respondents cited a lack of alignment between the business and cybersecurity as the most significant barrier to managing risk, reflected in nearly a quarter of respondents indicating that they'd need a 26% to 50% increase in budget to mitigate threats effectively.

The disconnect between business plans and cybersecurity needs suggests that organizations must take cybersecurity more seriously. Leadership involvement is critical when it comes to meeting regulatory requirements, and prioritizing cyber-risk management across the leadership bench helps security and IT teams make better decisions and provide direction during an incident. Making cybersecurity a core company value, where the C-suite prioritizes time and investments in security solutions, is crucial.

Making cyber-risk management a staple topic during planning meetings and within the boardroom affirms alignment across the organization. It also ensures that cybersecurity fits into all strategic initiatives. At a basic level, this means establishing better cyber hygiene across all employees, security solutions, and workflows. The C-suite must lead by example and provide the resources and training necessary for all employees — not just security and IT teams — to understand their own personal security's impact on the organization.

As it comes to investing in tools, C-suites should allow a budget for various methods to assess cyber-risk and ensure all stakeholders are involved. These include tools such as penetration testing, red-team exercises, and threat modeling assessments. In addition, having full network visibility can help detect and stop attacks in the early stages — long before threat actors can achieve their objectives and cause harm to an organization.

Successful Integration of Cybersecurity in Executive Strategies

So, what happens when cybersecurity becomes a key component of the C-suite and board's day-to-day priorities? Several organizations have demonstrated exemplary integration of cybersecurity into their executive strategies, setting benchmarks for others to follow. One notable example is JPMorgan Chase, which significantly bolstered its cybersecurity defenses following high-profile breaches in the financial sector. The company's CEO, Jamie Dimon, took a proactive stance by prioritizing cybersecurity as a core business concern. JPMorgan Chase invested more than $600 million annually in cybersecurity, employed more than 3,000 IT security professionals, and established a dedicated cybersecurity operations center. This comprehensive approach, driven by top-level leadership, ensured robust protection against evolving threats and underscored the critical importance of executive involvement in cybersecurity.

Another example is Equifax, which undertook a significant transformation following its 2017 data breach. The company appointed a new CEO, Mark Begor, who prioritized cybersecurity as a top business imperative. Under his leadership, Equifax invested $1.5 billion in overhauling its cybersecurity infrastructure, including the adoption of advanced security technologies and the creation of a new chief information security officer (CISO) role. This strategic investment and executive commitment not only enhanced Equifax's security posture but also restored trust with stakeholders and positioned the company as a leader in cybersecurity resilience.

No organization wants to be the next Change Healthcare or SolarWinds. As an industry, the C-suite and organizational leaders hold the power when it comes to establishing companywide precautionary measures and defenses. Collaboration with security teams, making cybersecurity a core principle of business strategy, and investing in defenses ultimately better positions organizations to thwart threats and ensure business continuity.

Read more about:

CISO Corner

About the Author

Raja Mukerji

Co-Founder & Chief Scientist, ExtraHop

Raja Mukerji is the co-founder and chief scientist at ExtraHop Networks, where he is responsible for customer services, solutions architecture, business development, and technical alliances. Raja drives customer success, leveraging his operational background in the financial services industry. Raja co-founded ExtraHop in 2007, after a seven-year tenure at F5 Networks, where he was a senior software architect and co-inventor of the TMOS platform. Raja was a lead developer behind the BIG-IP v9 product and the major accounts liaison for critical customer-facing issues within product development. Before F5, Raja worked as a technology architect at Strong Capital Management. Raja is a renowned expert in application delivery and network protocols. He was involved in the FreeBSD project and contributed to several enhancements to its TCP stack. Raja holds a bachelor of science degree in computer engineering from the Milwaukee School of Engineering.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights