With the proliferation of more and more sensitive data, expanding connectivity, and the adoption of automated processes, new research from Accenture argues c-suite and IT decision makers need to embrace a different approach to cybersecurity to effectively protect against future cyber risks.
While most companies have a chief information security officer (CISO) or assigned cybersecurity to a c-suite executive, such as a chief information officer (CIO), often, these leaders have limited influence on cybersecurity strategy outside their departments. Additionally, nearly half of CISOs acknowledge that their responsibilities for securing the organisation are growing faster than their ability to address security issues.
The new study called “Securing the Future Enterprise Today – 2018,” polled more than 1,400 c-level executives, 73 per cent of whom agreed that cybersecurity staff and activities need to be dispersed throughout all parts of the organisation, while cybersecurity remains centralised in 74 per cent of companies.
Moreover, there is little indication that c-suite executives expect to shift more responsibility for cybersecurity to business units. For example, 25 per cent of non-CISO executives say business unit leaders are accountable for cybersecurity today and a similar number believe business unit leaders should be responsible in the future.
“There is no doubt that organisations are taking cybersecurity more seriously, however, there is still much work to be done. Cybersecurity strategy needs to be led by the board, executed by the c-suite and owned at the front lines of the organisation. Further, it must be infused across all aspects of a company’s processes and systems, and built into the daily work activities of employees,” an Accenture spokesperson said.
“To be able to grow safely, companies can establish sustained cyber resilience through a continual, proactive focus on cyber risk management at all levels.”
The study exposed a disparity between what c-suite executives say are the emerging areas of concern and the cybersecurity strategies employed for protection. For example, companies are still doing little to spread security knowledge among employees and very few CISOs have the authority to influence business units across their organisations.
- Only half of respondents said all employees receive cybersecurity training upon joining the organisation and have regular awareness training throughout employment.
- Surprisingly, only 40 per cent of CISOs said establishing or expanding an insider threat program is a high priority.
- Just 40 per cent of CISOs said they always confer with business-unit leaders to understand the business before proposing a security approach.
- Internet of Things technology topped the list with 77 per cent of respondents saying that it will increase cyber risk moderately or significantly.
- Seventy-four per cent of respondents said cloud services will raise cyber risk, but only 44 per cent said that cloud technology is protected by their cybersecurity strategy.
- More than 70 per cent of respondents expect sharing data with strategic partners and third parties will raise risk, yet only 39 per cent said that the data exchanged is adequately protected by their cybersecurity strategy.