Whose Job Is It to Manage Cybersecurity? Hint: Stop Pointing at the CIO

Picture of Pareto Cyber

Pareto Cyber

Cyber threats are real

Subscribe newsletter

Too many enterprises treat cybersecurity as an afterthought, delegated entirely to the CIO and the IT department.

Yet organizations across the board are dealing with more frequent and variable cyber threats on an unprecedented scale. According to McKinsey, attackers are not only collaborating but also leveraging emergent technologies, such as artificial intelligence, to conduct attacks. These novel approaches are extremely risky for any companies these groups may target since the full attack cycles will speed up by a wide margin.

Despite several recent high-profile cyberattacks, most organizations are refusing to take security risks seriously. In a recent PwC’s 2022 survey, 63% of corporate executives claimed that their cybersecurity efforts do not get sufficient involvement and support from their CEOs.

Protecting your organization involves a lot more than hiring some IT specialists and buying security software. If you want to avoid costly data breaches and associated business consequences, your entire leadership team needs to work on managing security operations.

Here’s an overview of why organizations struggle to share responsibility around cybersecurity, and how to create a more productive security culture in your organization.

The Problem with Enterprise Cybersecurity Management

Leaving cybersecurity to an isolated CIO and IT team without agreement from other stakeholders and company leaders is dangerous. Given the prevalence of cyber attacks against businesses across industries, investing in a robust threat management program is a must for protecting your business interests.

There are two main reasons enterprises lag on prioritizing cybersecurity:

  1. Reactive Threat Management
  2. Siloed Security Operations

Reactive Threat Management

The high costs of a cyberattack are clear from even a brief glance at industry publications or recent headlines detailing breaches against high-profile organizations.

So why are managers not acting in proportion to those risks?

A lot of the gap between the perceived importance of cybersecurity within security professionals and other executives is caused by basic cognitive bias. While even a single data breach can significantly harm business operations, most companies underestimate the likelihood of getting attacked (before an attack actually happens).

Improving security operations can be quite time-consuming and expensive, and a hypothetical risk doesn’t seem urgent enough to prioritize. So managers are usually reactive rather than proactive, acting on cyber threats only once an attack has occurred.

This reactive approach puts your organization at a real risk. Cybersecurity cannot be treated as an occasional investment, because cyber threats and remediation strategies involve a lot of unpredictability and change.

Siloed Security Operations

While delegating security operations to IT specialists and relevant executives (CIO, CISO, etc.) may seem natural, a siloed cybersecurity approach is not effective against modern threats.

When your security staff is not communicating with the rest of the executive team, the perception of how good your enterprise cyber maturity is may not reflect reality. According to a 2020 Netwrix report, 66% of CIOs don’t report security related metrics and performance to their executives.

A communication gap between business and technology stakeholders can lead to a lack of investment in IT and security operations. In fact, 58% of companies surveyed by a recent IIF and McKinsey survey acknowledged they do not spend enough on cybersecurity.

Bridging the Gap: Business Impacts of Cybersecurity

Many problems with cybersecurity management start because some of your executives may not understand how cybersecurity affects your organization’s overall performance.

To overcome this communication gap, you need to frame the discussion in terms of business objectives and metrics familiar to your company’s leadership. Translate the metrics your security team uses (such as the mean time to detect a threat, number of security alerts faced by your business, etc.) into financial risks that your organization could face.

Create a sense of urgency by helping your executive team picture the specific consequences that they might have to deal with in the event of a breach. It may be helpful to mention the specific vulnerabilities for your industry and business type, as well as the exact types of attacks that are commonly seen within your space.

Steps to Improve Cybersecurity Management

Developing a culture of accountability around cybersecurity in your organization should begin with involving all relevant stakeholders in those efforts.

To help prioritize risks of cyber threats, discuss not only the threats themselves but also their likelihood, business impacts, and what company assets are likely to be compromised.

You should work with other executives to relate business activities to any corresponding security risks and vulnerabilities. This collaboration should become an ongoing effort, as your organization’s risk profile can change with any acquisitions, operations, or shifts in market conditions.

There are many ways to involve your business executives in improving your cybersecurity. For example, you can try running simulated cyberattack workshops to help executives practice responding to an active threat and then reflect on their strategy and approach. Deloitte recommends that you should build your approach on bridging the security impacts with business outcomes and financial terms.

No one person can manage cybersecurity on their own and companies need to take a more proactive and collaborative approach to security operations. By highlighting the risks of avoiding ownership over cybersecurity, you can motivate more people in your company to get involved and help protect your organization. 

Share