Securing the C-Suite: Cybersecurity Perspectives from the Boardroom

of 30 /30
Cybersecurity perspectives from the boardroom and C-Suite Securing the C-Suite Carl Nordman, IBM Institute for Business Value Diana Kelley, Executive Security Advisor, IBM Security

Embed Size (px)

Transcript of Securing the C-Suite: Cybersecurity Perspectives from the Boardroom

  • 2015 IBM Corporation 1 18 February 2016

    Cybersecurity perspectives from the boardroom and C-Suite Securing the C-Suite

    Carl Nordman, IBM Institute for Business Value Diana Kelley, Executive Security Advisor, IBM Security

  • Todays panelists

    Carl Nordman Research Director IBM Institute for Business Value https://securityintelligence.com/author/carl-nordman/ https://www.linkedin.com/in/carlnordman

    Diana Kelley Executive Security Advisor IBM Security https://securityintelligence.com/author/diana-kelley https://www.linkedin.com/in/dianakelleysecuritycurve

  • Why survey the C-Suite on cybersecurity? Cybercrime is an insidious threat that has reached crisis levels. Though hard to quantify with precision, estimates of the cost of cybercrime to the global economy may range from $375 billion USD to $575 billion per year.

    Reputational damage, financial loss, national security concerns, loss of intellectual capital, to name just a few, characterize some of the risks the C-suite is taking serious notice of

    Historically considered a technical issue within the domain of the IT department, security is now a central topic within operations, across the C-suite and elevated to the board level

    The objective of this study is to gain a perspective on Cybersecurity through the lens of the executive suite to gauge their level of understanding and engagement with cybersecurity risks and practices and contrast that against CISO concerns and known issues uncovered by Security experts.

  • 2015 IBM Corporation 18 February 2016 4

    Overview: Approach and demographics

    Context: The C-Suite view of cybersecurity risk

    The collaboration factor: Governance and collaboration

    Being cybersecure: Lessons learned from the most prepared

    Recommendations: C-suite considerations for 2016 and beyond

    Agenda

  • 2015 IBM Corporation 18 February 2016 5

    We surveyed over 700 C-suite executives in 29 countries, across 9 roles, representing 18 industries

    Q4 . In what country is your enterprise headquartered? Select one.

    IBM Confidential

    Sample Size 702

    North America

    Central and South America

    Western Europe

    Middle East and Africa

    Central and Eastern Europe

    Asia Pacific

    Japan

    24%

    24%

    12%

    4% 17%

    12%

    7%

  • 2015 IBM Corporation 18 February 2016 6

    Data was collected using a survey with 20 questions for all C-suite participants and an additional 3-5 specific to each role

    Questions asked across

    C-suite roles CEO

    CHRO

    ! 5 Demographic ! 5 Risk awareness ! 5 Capability and

    preparation

    ! 5 Governance

    Role Specific Examples ! Cybersecurity importance relative to

    other strategic issues

    ! Willingness to share information (internally and externally)

    ! Deployed employee education ! Protected critical employee personal

    sensitive data

    CFO/CRO ! Degree security is incorporated into

    ERM plans

    ! Protected critical financial and risk data

  • 2015 IBM Corporation 18 February 2016 7

    Industry

    There is a balanced representation across company size, industry and C-suite role

    Over $10B

    $500M - $1B

    $1B $10B

    5%

    45%

    15% Chief Executive Officer

    Chief Financial Officer

    Chief Information Officer

    Chief Marketing Officer

    12%

    Chief Human Resource Officer

    Chief Legal/Compliance Officer

    Chief Risk Officer

    Chief Operations Officer

    4% Chief Supply Chain Officer

    13%

    13%

    13%

    13%

    12%

    12%

    8%

    Company size in $USD annualized revenue

    C-suite role

    Under $500M 35%

    Sample Size 702

  • 2015 IBM Corporation 18 February 2016 8

    Agenda

    Overview: Approach and demographics

    Context: The C-Suite view of cybersecurity risk

    The collaboration factor: Governance and collaboration

    Being cybersecure: Lessons learned from the most prepared

    Recommendations: C-suite considerations for 2016 and beyond

  • 2015 IBM Corporation 18 February 2016 9

    IBMs 2015 Global C-Suite study revealed IT security risks have risen to become a top concern

    IBM 2015 C-Suite Study: Source: Q1.4 Which of the following technologies will revolutionize your business in 3 to 5 years? [Rank up to 3] cut by Q2.3 Which of the following risks do you think may occur in 3 to 5 years as a result of the technology you ranked #1 in question 1.4? Rake-weighted n=5247

    This is a marked change from just two years ago, when security concerns made just a blip on their radar screens.

    Disruptive technologies where IT Security risk was selected as #1 Top Concern

    Mobile solutions Cloud computing Smart, connected (IoT) Cognitive computing Advanced manufacturing technologies Man-machine hybrids

    Greatest risks with emerging, disruptive technologies

  • 2015 IBM Corporation 18 February 2016 10

    CxOs consistent IT risk concerns across both studies masks a prevailing issue that legacy vulnerabilities still remain high

    The latest technologies du jour such as mobile are capturing more Executive level attention, despite the fact that there are, currently, fewer known incidents through these channels than others (e.g. legacy applications, vendor/partner system integration points, network security).

    Admittedly, legacy infrastructure vulnerabilities remain a top of concern for all. They are exacerbated by emerging technologies (e.g. API Security).

  • 2015 IBM Corporation 18 February 2016 11

    Response

    Seventy-five percent of CxOs believe a comprehensive cybersecurity program is important to extremely important

    Prevention

    Detection

    Remediation

    76%

    74%

    78%

    77%

    Q12 . How important are the following elements of a cybersecurity plan in each of the areas described below? Please rate each item below on a scale of 1 to 5, with 1 being Not at all important, 5 being extremely important, or Dont know.

    Sample Size = 691

    % of C-suite indicating cybersecurity plan components are important to

    extremely important

    Weighted average response for whole cybersecurity plan is

    important to extremely important

    75%

  • 2015 IBM Corporation 18 February 2016 12

    Greater than 75%

    On average the C-suite may be overstating the probability of a significant cybersecurity incident occurring at their company

    Already happened

    Its inevitable

    50%-75%

    8%

    1%

    6%

    C-suite view of the probability of a significant cybersecurity incident in

    the next 2 years

    C-suite weighted average view of the probability of a significant cybersecurity

    incident in the next 2 years

    38%

    Q9 . What do you believe is the probability of a significant Cyber Security incident affecting your enterprise in the next 2 years? Note, significant is defined as an event that would cause a material disruption to operations, customers, vendors. Select one. 1: 2015 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC, May 2015.Page 20, figure 15

    Sample Size = 702

    Over 0% to 25%

    25%-50%

    0% probability

    23%

    51%

    5%

    6% The 2015 Cost of Data Breach

    Study estimated the probability of a breach resulting in the theft of 10,000+ records over 2 years

    to be about 22%1

    probability

  • 2015 IBM Corporation 18 February 2016 13

    Half or more of CxOs acknowledge the risks of industrial espionage and organized crime but understate others

    50% 32% 26%

    54%

    Riskiest threat actors selected by C-suite respondents

    Current/former vendors

    Foreign governments

    Organized crime groups

    Competitors outside industry

    Domestic government

    Organized terrorist groups

    Rogue individuals

    Current/past employees Competitors in industry

    19% 17%

    23%

    70%

    Q7: Rank the top three entities that you believe represent the most significant threats to Cyber Security for your enterprise, with 1 being most significant. 1: UNODC Comprehensive Study on Cybercrime 2013 2: IBM 2015 Cyber Security Intelligence Index - https://securityintelligence.com/economic-espionage-the-global-workforce-and-the- insider-threat/

    Sample Size = 702

    8%

    80% of material threats arise from organized crime groups1

    31.5% of data breaches are attributable to malicious insiders (employees, contractors, vendors)2

    23.5% of data breaches are due to inadvertent actors, (insider errors, non-adherence to policy )2

    On average, they overstate the risk from Rogue actors and understate the

    risk from employees, foreign governments and industrial espionage

  • 2015 IBM Corporation 18 February 2016 14

    Agenda

    Overview: Approach and demographics

    Context: The C-Suite view of cybersecurity risk

    The collaboration factor: Governance and collaboration

    Being cybersecure: Lessons learned the most prepared

    Recommendations: C-suite considerations for 2016 and beyond

  • 2015 IBM Corporation 18 February 2016 15

    While a majority of CEOs agree more collaboration is needed with government, industry and across borders, more than two-thirds are unwilling to participate in that collaboration

    CEO agreement with need for external collaboration with various groups

    CEO reticence to participate in sharing incident information with them

    Q2 CEO: To what extent are you willing to disclose Cyber Security incidents with the following stakeholders on a scale of 1 to 5 with 1 being not at all and 5 being extensively. Externally = Vendors, Regulators, Industry Competitors, Third Party Security Experts Q3-CEO: On the following Cyber Security related actions, please indicate if you agree or disagree with each statement

    Sample Size = 87

  • 2015 IBM Corporation 18 February 2016 16

    On average the C-suite appears highly confident in the veracity of their cybersecurity plans

    % C-suite respondents by role that report the cybersecurity strategy of their company is well established

    70% 66% 63%

    76%

    59% 55% 51%

    61%

    77%

    CEO

    CMO

    CIO

    CHRO

    CFO

    CLO

    CRO

    CSCO

    COO

    C-suite average response that the cybersecurity strategy of

    their company is well established

    65%

  • 2015 IBM Corporation 18 February 2016 17

    In light of responses on the degree of C-suite engagement on cybersecurity issues, that confident view starts to erode

    % C-suite respondents by role that report they are very engaged in security

    threat management discussions

    % of C-suite highly engaged in

    cybersecurity threat management

    40%

    % of C-suite agree cybersecurity plan

    incorporates C-suite collaboration

    31%

    56% 48% 45%

    56%

    43% 41% 38%

    43%

    57%

    CFO

    CMO

    CIO

    CRO

    CHRO

    CEO

    CSCO

    CLO

    COO

    High Engagement

    Low to No Engagement

    44% 52% 55%

    44%

    57% 59% 62%

    57%

    43%

  • 2015 IBM Corporation 18 February 2016 18

    Overview: Approach and demographics

    Context: The C-Suite view of cybersecurity risk

    The collaboration factor: Governance and collaboration

    Being cybersecure: Lessons learned from the most prepared

    Recommendations: C-suite considerations for 2016 and beyond

    Agenda

  • 2015 IBM Corporation 18 February 2016 19

    Methodology to cluster effectiveness of C-suite on Cyber Security across 7 factors

    3 Strategic components: Q10.1 Evaluating potential security issues across all initiatives (C-Suite collaboration) Q10.2 Indentifying critical enterprise data (the Crown Jewels) Q10.3 Developing an effective response plan in the event of a breach (internal &

    external)

    4 Tactical components: Q13.1 Prevention: Having necessary prevention practices and tools in place Q 13.2 Detection: Deploying continuous monitoring & detection tools Q13.3 Response: Implementing a comprehensive response plan Q13.4 Remediation: Implementing remediation plans to strengthen security

    We asked respondents how they have prepared strategically and

    tactically along these factors and used responses to these questions to see if clusters emerged, by capability.

  • 2015 IBM Corporation 18 February 2016 20

    An analysis of the responses to these specific questions revealed three distinct clusters

    Sample Size = 702

    Q10. To what extent has your organization established and implemented Cyber Security plans and capabilities across your enterprise? Please rate each item below [Strategic Plan, Data Protected, Response Plan ready] , on a scale of 1 to 5, with 1 Not at all, 5 being Extensively Q13 . Considering your entire enterprise, how effective are current Cyber Security plans in each of the areas described below [Prevention, Detection, Response, Remediation]? Please rate each item below on a scale of 1 to 5, with 1 Not at all effective, and 5 being extremely effective

  • 2015 IBM Corporation 18 February 2016 21

    Companies with a cybersecure C-suite are more than twice as likely to have a security office and have appointed a CISO

  • 2015 IBM Corporation 18 February 2016 22

    A cybersecure C-suite is more likely to be governed with C-suite collaboration built into the plan

  • 2015 IBM Corporation 18 February 2016 23

    A cybersecure C-suite provides far more transparency and communicates more with the Board of Directors

  • 2015 IBM Corporation 18 February 2016 24

    Overview: Approach and demographics

    Context: The C-Suite view of cybersecurity risk

    The collaboration factor: Governance and collaboration

    Being cybersecure: Lessons learned from the most prepared

    Recommendations: C-suite considerations for 2016 and beyond

    Agenda

  • 2015 IBM Corporation 18 February 2016 25

    1. Understand the risks

    2. Collaborate, educate and empower

    3. Manage risk with vigilance and speed

    A set of three recommendations emerged for the C-suite to consider as they evolve their cybersecurity capabilities

  • 2015 IBM Corporation 18 February 2016 26

    Learn more about the study: Securing the C-Suite

    Visit ibm.com/security/ciso to download the report

  • 2015 IBM Corporation 18 February 2016 27

    Learn more about IBM Security

    countries where IBM delivers managed security services

    industry analyst reports rank IBM Security as a LEADER

    enterprise security vendor in total revenue

    clients protected including

    130+ 25

    No. 1

    12K+

    90% of the Fortune 100 companies

    Join IBM X-Force Exchange xforce.ibmcloud.com

    Visit our website ibm.com/security

    Watch our videos on YouTube IBM Security Channel

    Read new blog posts SecurityIntelligence.com

    Follow us on Twitter @ibmsecurity

  • 2015 IBM Corporation 18 February 2016 28

    Learn more about the IBM Institute for Business Value

    For more information To learn more about this IBM Institute for Business Value study, please contact us at [email protected] Follow @IBMIBV on Twitter, and for a full catalog of our research or to subscribe to our monthly newsletter, visit: ibm.com/iibv Access IBM Institute for Business Value executive reports on your mobile device by downloading the free IBM IBV app for your phone or tablet from your app store. The right partner for a changing world At IBM, we collaborate with our clients, bringing together business insight, advanced research and technology to give them a distinct advantage in todays rapidly changing environment. IBM Institute for Business Value The IBM Institute for Business Value, part of IBM Global Business Services, develops fact-based strategic insights for senior business executives around critical public and private sector issues.

  • THANK YOU

  • 2015 IBM Corporation