CEO and CISO disconnect in cybersecurity create risk for Australian organisations.
The perils of overconfidence.
Chief executive office (CEO) confidence regarding an organisation’s ability to detect and manage cyber concerns far outstrips that of Chief Information Security Officers (CISOs) – a disconnect that according to Unisys Corporation – is putting puts organisations at risk of cyberattacks.
The “Cybersecurity Standoff – Australia” research explores insights from 88 CEOs and 54 CISOs, predominantly from Australia’s small-to-medium enterprise sector that forms a critical part of physical and digital supply chains. The responses indicate that many Australian CEOs still view cybersecurity in tactical terms and are failing to incorporate the protection of essential digital assets into strategic planning.
For example, while 69 per cent of CISOs believe that cybersecurity is viewed as part of the organisation’s business plans and objectives, just 27 per cent of CEOs agree with this statement. In addition, a quarter of organisations with a board do not report cybersecurity on a regular basis, and just 6 per cent of all survey respondents see the role of their cybersecurity frameworks as tools to enable business and support growth.
“Lack of communication is a fundamental cause of this type of disconnect between the CEO and CISO,” says Gergana Kiryakova, industry director cyber security for Unisys, Australia and New Zealand. “Not every pair of CEO and CISO know how to, or even like to, talk to each other – they don’t share the same language and might define what constitutes a breach very differently. And to some degree there is a fear factor: where some CISOs believe if they disclose every issue they run into, they will lose their jobs. Effective communication and shared definitions are needed to drive a mindset change where security risk management becomes part of the business plan.”
The research reveals a consistent theme of cybersecurity over-confidence among CEOs:
- Just 6 per cent of CEOs say their organisations have suffered a data breach in the last 12 months, compared to 63 per cent of CISOs;
- More than four in 10 (44 per cent) CEOs believe their organisations can respond to cyber threats in real time, whereas just 26 per cent of CISOs agree; and
- More than half (51 per cent) of CEOs believe their organisations’ data collection policies are clear to consumers or citizens, yet only 26 per cent of CISOs agree.
“As enterprises digitise core functions the type and volume of data collected, stored and used grows significantly,” Ms Kiryakova adds. “The reality is that data breaches are inevitable. Organisations must take a proactive approach to securely manage their data and identify and isolate threats before they impact business continuity, partners, customers or citizens. If business leaders don’t incorporate cybersecurity into their overall risk framework, they can’t respond effectively to threats across the supply chain ecosystem, or capitalise on emerging opportunities in the data economy.”