There is an urgent need for boards to become better educated about cyber security in order to propagate an appropriate attitude to infosec to CEOs and, from them down, an appropriate culture throughout an organisation.
A recent survey conducted by McAfee found CEOs to be the C-suite executives least concerned about cyber risk — despite being identified by 67 per cent of respondents as the executives that should be held accountable for cyber risk.
McAfee attributed this to "a lack of KPIs and/or incentives related to cyber security, organisational culture and because of business strategy and direction."
Ian Yip, Asia Pacific CTO with McAfee, told Computerworld: "The main thing that stood out from the survey was that we asked CIOs and CISOs, 'Who do you think should be accountable for cyber security?' and 'Who do you think cares least for cyber security?' and we got the same answer.
"Forty-five per cent said CEOs should be responsible and 45 per cent said CEOs care least. So there is a misalignment of expectations there. CIOs and CISOs are saying 'CIOs really don't care but somehow I have to make them realise the buck stops with them. No matter what I am doing, they need to push the security culture from the top down'."
Yip said any solution had to start with board education: "Boards are becoming increasingly aware that cyber is a problem but being educated about it is a whole different issue.
"That education is required for them to realise that the CEO should be accountable and for them to make it so and put that into the CEOs bonus plans and KPIs. Because if they are not incentivised and measured, things tend to get left by the wayside.”
"The more educated boards become the more CEOs will be held properly accountable and the more that security culture will trickle down to allow spend to increase to match the risk profile," he added.
Yip said that the absence of a pervasive cyber-security culture driven from the CEO was likely to compromise organisations' ability to maintain the necessary level of cyber security.
"A Ponemon study asked CISOs what they expect to be doing this time the next year. One of the top things was not wanting to be in security.
"That is an indictment of the industry… It speaks to them saying, ‘This is a hard problem to solve and I am not being given what I need to solve this problem' and 'until I get that this is a really stressful problem. I'm not able to sleep at night and I am getting all the blame'."
The McAfee report suggested new legislation, such as Australia’s notifiable data breaches scheme, might increase the perception that CEOs must be involved in cyber risk management.
However, it said, to make them effective would require "an organisational commitment to clear cyber security plans – and the metrics, collaboration, and prioritisation of resources necessary to make those plans a part of the company’s everyday functioning."
Cyber security "driven by the CEO to ensure it trickles down to every part of the organisation," the report said, "requires an overall security culture driven by the use of a common risk language across every part of the information-security risk function and business organisation… built on commonly accepted views of risk and business impact, with regular reporting on progress against a strategic, defensible plan."