Global Economist Intelligence Unit survey, sponsored by Willis Towers Watson, finds varied approaches on how leadership implements cyber resiliency across their organisations, with stronger communication and collaboration needed across various functions, including between the board and the CISO. Anthony Dagostino, Global head of cyber risk with Willis Towers Watson.
A majority of executives around the world feel they face a “specialist-generalist” dilemma as to whom leads on cyber resiliency due to its critical nature across the company, but also the recognition that specialisation is necessary. This is according to the results of a global survey conducted by The Economist Intelligence Unit (EIU) and sponsored by Willis Towers Watson.
The EIU surveyed over 450 companies across the globe about their strategies and the challenges they face in building a cyber resilient organisation. Almost 40 percent of executives surveyed felt that the board should oversee cyber, compared with 24 percent who felt it should be the role of a specialised cyber committee. A small portion of respondents surveyed believed it should be the responsibility of audit, risk or some other subgroup.
The survey also found that communication within leadership roles regarding cybersecurity risks is also inconsistent: Only 8% of executives say that their CISO or equivalent performs above average in communicating the financial, workforce, reputational or personal consequences of cyber threats. Less than a quarter of executives say that their cyber resilience board briefings are “well above average”. Under 15% give their CISOs or equivalent a top rating from a scale of one to ten.
“It is no surprise that one of the main challenges companies face when implementing a cyber risk mitigation or resiliency plan is the communication gap between the board and the CISO,” says Anthony Dagostino, global head of cyber risk with Willis Towers Watson. “Cyber resiliency starts with the board because they understand risk and can help their organisations set the appropriate strategy to effectively mitigate that risk. However, while CISOs are security specialists, most of them still struggle with adequately translating security threats into operational and financial impact to their organisations- which is what boards want to understand.
To close this communication gap, CISOs need tools that can help them quantify and translate the vulnerabilities uncovered from their cybersecurity maturity assessments. These tools enable them to better communicate the risk to the board, seek adequate budget, and enable the board to provide meaningful guidance”.
According to the survey, the specialist-generalist dilemma is not only faced at the board level, as cyber requires specialist knowledge and skills along with enterprise-wide business, workforce and process capabilities. For example, as workforce vulnerabilities contribute to most cyber incidents, two-thirds of companies surveyed believe HR and Information Security partnership is key. When asked whom takes a lead role in developing employee-related cyber risk policies, 54% said HR leads with Information Security advising and 28% said Information Security leads with HR advising.
“These findings are encouraging because they signal that more organisations are involving their HR function in addressing cyber risk. Still, organisations need greater collaboration between their CHROs and their CISOs to truly assess the organisational culture driving cyber risk in the first instance. The solution isn’t always more security awareness training. It could be a leadership or incentives and rewards issue, things that fall squarely within the function of the CHRO,” Dagostino added.
Some other key findings around leadership responsibilities for cyber include: Three out of the four regions surveyed believe that the “board as a whole” should oversee cyber risk, while Europe believes it should be a dedicated cyber group.
Only 30 percent of executives believe they have enough directors that understand cyber risks and only 23 percent are actively recruiting directors who understand those risks. In all regions except the UK, the heads of cyber-resilience report to the CEO. In the UK, most report to the board.