Securing the C-Suite: Cybersecurity Perspectives from the Boardroom

©2015 IBM Corporation 1 18 February 2016

Cybersecurity perspectives from the boardroom and C-Suite Securing the C-Suite

Carl Nordman, IBM Institute for Business Value Diana Kelley, Executive Security Advisor, IBM Security

Today’s panelists

Carl Nordman Research Director IBM Institute for Business Value https://securityintelligence.com/author/carl-nordman/ https://www.linkedin.com/in/carlnordman

Diana Kelley Executive Security Advisor IBM Security https://securityintelligence.com/author/diana-kelley https://www.linkedin.com/in/dianakelleysecuritycurve

Why survey the C-Suite on cybersecurity? Cybercrime is an insidious threat that has reached crisis levels. Though hard to quantify with precision, estimates of the cost of cybercrime to the global economy may range from $375 billion USD to $575 billion per year.

•  Reputational damage, financial loss, national security concerns, loss of intellectual capital, to name just a few, characterize some of the risks the C-suite is taking serious notice of

•  Historically considered a technical issue within the domain of the IT department, security is now a central topic within operations, across the C-suite and elevated to the board level

The objective of this study is to gain a perspective on Cybersecurity through the lens of the executive suite to gauge their level of understanding and engagement with cybersecurity risks and practices and contrast that against CISO concerns and known issues uncovered by Security experts.

©2015 IBM Corporation 18 February 2016 4

Overview: Approach and demographics

Context: The C-Suite view of cybersecurity risk

The collaboration factor: Governance and collaboration

Being cybersecure: Lessons learned from the most prepared

Recommendations: C-suite considerations for 2016 and beyond

Agenda


We surveyed over 700 C-suite executives in 29 countries, across 9 roles, representing 18 industries

Q4 . In what country is your enterprise headquartered? Select one.

IBM Confidential

Sample Size 702

North America

Central and South America

Western Europe

Middle East and Africa

Central and Eastern Europe

Asia Pacific

Japan

24%

24%

12%

4% 17%

12%

7%


Data was collected using a survey with 20 questions for all C-suite participants and an additional 3-5 specific to each role

Questions asked across

C-suite roles CEO

CHRO

!  5 Demographic

!  5 Risk awareness

!  5 Capability and preparation

!  5 Governance

Role Specific Examples !  Cybersecurity importance relative to

other strategic issues

!  Willingness to share information (internally and externally)

!  Deployed employee education

!  Protected critical employee personal sensitive data

CFO/CRO !  Degree security is incorporated into

ERM plans

!  Protected critical financial and risk data


Industry

There is a balanced representation across company size, industry and C-suite role

Over $10B

$500M - $1B

$1B – $10B

5%

45%

15% Chief Executive Officer

Chief Financial Officer

Chief Information Officer

Chief Marketing Officer

12%

Chief Human Resource Officer

Chief Legal/Compliance Officer

Chief Risk Officer

Chief Operations Officer

4% Chief Supply Chain Officer

13%

13%

13%

13%

12%

12%

8%

Company size in $USD annualized revenue

C-suite role

Under $500M 35%

Sample Size 702


Agenda







IBM’s 2015 Global C-Suite study revealed IT security risks have risen to become a top concern

IBM 2015 C-Suite Study: Source: Q1.4 Which of the following technologies will revolutionize your business in 3 to 5 years? [Rank up to 3] cut by Q2.3 Which of the following risks do you think may occur in 3 to 5 years as a result of the technology you ranked #1 in question 1.4? Rake-weighted n=5247

This is a marked change from just two years ago, when security concerns made just a blip on their radar screens.

Disruptive technologies where IT Security risk was selected as #1 Top Concern

•  Mobile solutions •  Cloud computing •  Smart, connected (IoT) •  Cognitive computing •  Advanced manufacturing technologies •  Man-machine hybrids

Greatest risks with emerging, disruptive technologies


CxOs’ consistent IT risk concerns across both studies masks a prevailing issue that legacy vulnerabilities still remain high

The latest “technologies du jour” such as mobile are capturing more Executive level attention, despite the fact that there are, currently, fewer known incidents through these channels than others (e.g. legacy applications, vendor/partner system integration points, network security).

Admittedly, legacy infrastructure vulnerabilities remain a top of concern for all. They are exacerbated by emerging technologies (e.g. API Security).


Response

Seventy-five percent of CxOs believe a comprehensive cybersecurity program is “important to extremely important”

Prevention

Detection

Remediation

76%

74%

78%

77%

Q12 . How important are the following elements of a cybersecurity plan in each of the areas described below? Please rate each item below on a scale of 1 to 5, with 1 being “Not at all important”, 5 being “extremely important”, or “Don’t know”.

Sample Size = 691

% of C-suite indicating cybersecurity plan components are important to

extremely important

Weighted average response for whole cybersecurity plan is

important to extremely important

75%


Greater than 75%

On average the C-suite may be overstating the probability of a significant cybersecurity incident occurring at their company

Already happened

It’s inevitable

50%-75%

8%

1%

6%

C-suite view of the probability of a significant cybersecurity incident in

the next 2 years

C-suite weighted average view of the probability of a significant cybersecurity

incident in the next 2 years

38%

Q9 . What do you believe is the probability of a significant Cyber Security incident affecting your enterprise in the next 2 years? Note, “significant” is defined as an event that would cause a material disruption to operations, customers, vendors. Select one. 1: 2015 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC, May 2015.Page 20, figure 15

Sample Size = 702

Over 0% to 25%

25%-50%

0% probability

23%

51%

5%

6% The 2015 “Cost of Data Breach

Study” estimated the probability of a breach resulting in the theft of 10,000+ records over 2 years

to be about 22%1

probability


Half or more of CxOs acknowledge the risks of industrial espionage and organized crime but understate others

50% 32% 26%

54%

Riskiest threat actors selected by C-suite respondents

Current/former vendors

Foreign governments

Organized crime groups

Competitors outside industry

Domestic government

Organized terrorist groups

Rogue individuals

Current/past employees Competitors in industry

19% 17%

23%

70%

Q7: Rank the top three entities that you believe represent the most significant threats to Cyber Security for your enterprise, with 1 being most significant. 1: UNODC Comprehensive Study on Cybercrime 2013 2: IBM 2015 Cyber Security Intelligence Index - https://securityintelligence.com/economic-espionage-the-global-workforce-and-the- insider-threat/

Sample Size = 702

8%

•  80% of material threats arise from organized crime groups1

•  31.5% of data breaches are attributable to malicious insiders (employees, contractors, vendors)2

•  23.5% of data breaches are due to inadvertent actors, (insider errors, non-adherence to policy )2

On average, they overstate the risk from Rogue actors and understate the

risk from employees, foreign governments and industrial espionage


Agenda




Being cybersecure: Lessons learned the most prepared



While a majority of CEOs agree more collaboration is needed with government, industry and across borders, more than two-thirds are unwilling to participate in that collaboration

CEO agreement with need for external collaboration with various groups

CEO reticence to participate in sharing incident information with them

Q2 – CEO: To what extent are you willing to disclose Cyber Security incidents with the following stakeholders on a scale of 1 to 5 with 1 being not at all and 5 being extensively. Externally = Vendors, Regulators, Industry Competitors, Third Party Security Experts Q3-CEO: On the following Cyber Security related actions, please indicate if you agree or disagree with each statement

Sample Size = 87


On average the C-suite appears highly confident in the veracity of their cybersecurity plans

% C-suite respondents by role that report the cybersecurity strategy of their company is well established

70% 66% 63%

76%

59% 55% 51%

61%

77%

CEO

CMO

CIO

CHRO

CFO

CLO

CRO

CSCO

COO

C-suite average response that the cybersecurity strategy of

their company is well established

65%


In light of responses on the degree of C-suite engagement on cybersecurity issues, that confident view starts to erode

% C-suite respondents by role that report they are very engaged in security

threat management discussions

% of C-suite highly engaged in

cybersecurity threat management

40%

% of C-suite agree cybersecurity plan

incorporates C-suite collaboration

31%

56% 48% 45%

56%

43% 41% 38%

43%

57%

CFO

CMO

CIO

CRO

CHRO

CEO

CSCO

CLO

COO

High Engagement

Low to No Engagement

44% 52% 55%

44%

57% 59% 62%

57%

43%







Agenda


Methodology to cluster effectiveness of C-suite on Cyber Security across 7 factors

3 Strategic components: Q10.1 Evaluating potential security issues across all initiatives (C-Suite collaboration) Q10.2 Indentifying critical enterprise data (the Crown Jewels) Q10.3 Developing an effective response plan in the event of a breach (internal &

external)

4 Tactical components: Q13.1 Prevention: Having necessary prevention practices and tools in place Q 13.2 Detection: Deploying continuous monitoring & detection tools Q13.3 Response: Implementing a comprehensive response plan Q13.4 Remediation: Implementing remediation plans to strengthen security

We asked respondents how they have prepared strategically and

tactically along these factors and used responses to these questions to see if clusters emerged, by capability.


An analysis of the responses to these specific questions revealed three distinct clusters

Sample Size = 702

Q10. To what extent has your organization established and implemented Cyber Security plans and capabilities across your enterprise? Please rate each item below [Strategic Plan, Data Protected, Response Plan ready] , on a scale of 1 to 5, with 1 “Not at all”, 5 being “Extensively” Q13 . Considering your entire enterprise, how effective are current Cyber Security plans in each of the areas described below [Prevention, Detection, Response, Remediation]? Please rate each item below on a scale of 1 to 5, with 1 “Not at all effective”, and 5 being “extremely effective”


Companies with a “cybersecure” C-suite are more than twice as likely to have a security office and have appointed a CISO


A “cybersecure” C-suite is more likely to be governed with C-suite collaboration built into the plan


A “cybersecure” C-suite provides far more transparency and communicates more with the Board of Directors







Agenda


1.  Understand the risks

2.  Collaborate, educate and empower

3.  Manage risk with vigilance and speed

A set of three recommendations emerged for the C-suite to consider as they evolve their cybersecurity capabilities


Learn more about the study: Securing the C-Suite

Visit ibm.com/security/ciso to download the report


Learn more about IBM Security

countries where IBM delivers managed security services

industry analyst reports rank IBM Security as a LEADER

enterprise security vendor in total revenue

clients protected including…

130+

25

No. 1

12K+

90% of the Fortune 100 companies

Join IBM X-Force Exchange xforce.ibmcloud.com

Visit our website ibm.com/security

Watch our videos on YouTube IBM Security Channel

Read new blog posts SecurityIntelligence.com

Follow us on Twitter @ibmsecurity


Learn more about the IBM Institute for Business Value

For more information To learn more about this IBM Institute for Business Value study, please contact us at [email protected]. Follow @IBMIBV on Twitter, and for a full catalog of our research or to subscribe to our monthly newsletter, visit: ibm.com/iibv Access IBM Institute for Business Value executive reports on your mobile device by downloading the free “IBM IBV” app for your phone or tablet from your app store. The right partner for a changing world At IBM, we collaborate with our clients, bringing together business insight, advanced research and technology to give them a distinct advantage in today’s rapidly changing environment. IBM Institute for Business Value The IBM Institute for Business Value, part of IBM Global Business Services, develops fact-based strategic insights for senior business executives around critical public and private sector issues.

THANK YOU

Securing the C-Suite: Cybersecurity Perspectives from the Boardroom

Technology

Transcript of Securing the C-Suite: Cybersecurity Perspectives from the Boardroom