- Leaders in cybersecurity have more discipline for implementing strategy on a regular basis, whereas non-leaders were more likely to update their cybersecurity strategy "intermittently," according to a survey of 200 CEOs and CISOs from The Wall Street Journal Intelligence and Forcepoint.
- About two-thirds of executives are considered "non-leaders," whereas the remaining executives scored "the highest possible rating for digital maturity, cybersecurity effectiveness, and cybersecurity talent and acquisition," according to the survey. The majority of leaders, 82%, have boards of directors who are "fully engaged" with security strategy, compared to only 39% of non-leaders.
- Most leaders, 70%, are more concerned with increasing agility than reducing costs, compared to 57% of non-leaders. Nearly two-thirds of leaders value protecting consumer data over organizational intellectual property, compared to 56% of non-leaders.
When CISOs have the backing of their non-technical C-suite counterparts, they will likely hit their goals. But not all organizations are created equal.
Boards recognize they lack the necessary information to make governance decisions without disturbing innovation. The democratization of security is disrupting how businesses operate across departments, and that turmoil requires better communication.
As more boards acknowledge cyber-related risks pose a "fundamental hazard" to business continuity, CISOs will receive more attention. The CISO, in turn, needs to know how to effectively engage with their boards — heat maps aren't going to cut it anymore in risk assessment presentations.
Heat maps don't give boards enough indication of where risk exists, and therefore cannot quantify a risk, let alone determine an action to address it.
Technical leaders are often asked to speak to their non-technical counterparts without technology jargon. CISOs can be more precise in their risk assessments by answering several staple questions:
What is being defended: Is it the business or a business component?
Who is authorized to take the risk? Do they also know how to mitigate it in case of an incident?
What has the security organization done to ensure the business is defended? Where are the weak spots?
What tools are required?
The WSJ Intelligence and Forcepoint survey found CISOs believe in the effectiveness of their digital and security maturity more than their CEOs. CEOs and CISOs largely agreed they have "very effective" cybersecurity measures, which is an indicator of their confidence. The executives recognize that threats exist and address them accordingly.
As leaders report they are "close" to an ideal cybersecurity stance, the scale of cyberattacks is only increasing, forcing cyber strategies to evolve daily.