CEOs in the dark on Cybersecurity

Australian Chief Executive Officer (CEO) confidence regarding an organization's ability to detect and manage cyber concerns far outstrips that of Chief Information Security Officers (CISOs) – a disconnect that puts organizations at risk of cyberattacks, according to research released by Unisys Corporation

The "Cybersecurity Standoff – Australia" research explores insights from 88 CEOs and 54 CISOs, predominantly from Australia's small-to-medium business (SMB) sector that forms a critical part of physical and digital supply chains.

The responses indicate that many Australian CEOs still view cybersecurity in tactical terms and are failing to incorporate the protection of essential digital assets into strategic planning.

For example, while 69% of CISOs believe that cybersecurity is viewed as part of the organization's business plans and objectives, just 27% of CEOs agree with this statement. In addition, a quarter of organizations with a board do not report cybersecurity on a regular basis, and just 6% of all survey respondents see the role of their cybersecurity frameworks as tools to enable business and support growth.

"Lack of communication is a fundamental cause of this type of disconnect between the CEO and CISO. Not every CEO and CISO know how to, or even like to, talk to each other – they don't share the same language and might define what constitutes a breach very differently. And to some degree there is a fear factor: where some CISOs believe if they disclose every issue they run into, they will lose their jobs.

“Effective communication and shared definitions are needed to drive a mindset change where security risk management becomes part of the business plan," said Gergana Kiryakova, industry director cyber security for Unisys, Australia and New Zealand.

The research reveals a consistent theme of cybersecurity over-confidence among CEOs:

  • Just 6% of CEOs say their organizations have suffered a data breach in the last 12 months, compared to 63% of CISOs;
  • More than four in 10 (44%) CEOs believe their organizations can respond to cyber threats in real time, whereas just 26% of CISOs agree; and
  • More than half (51%) of CEOs believe their organizations' data collection policies are clear to consumers or citizens, yet only 26% of CISOs agree.

One of the biggest disconnects the survey reveals is that both CEOs and CISOs have their attention focused on different threats.

Of those who have experienced a data breach, human error (64 per cent) was agreed by both CEOs and CISOs as the most likely cause. This was followed by targeted attacks by hackers (56 per cent), malware/spyware (54 per cent), deliberate data breaches by staff (33 per cent) and a breach through partners or suppliers (18 per cent).

Despite human error being seen as the top threat, When asked what the biggest cybersecurity threat is to their organisation, just 18 per cent of CEOs and 44 per cent of CISOs felt that a lack of staff knowledge on how to protect data should be their chief concern. Instead, they cited malicious attacks as the greatest concern with 64 per cent of CEOs and 69 per cent of CISOs agreeing that this is their biggest risk.

From here however there is a significant disconnect regarding perceived cyber risks. While CISOs are concerned about state-sponsored spying (52 per cent versus eight per cent of CEOs and corporate espionage (28 per cent versus 14 per cent of CEOs); CEOs (27 per cent) believe that out-of-date technology is placing their organisation at risk (compared with just seven per cent of CISOs)

The online survey was conducted by Pure Profile during September 2019, surveying 88 CEOs and 54 CISOs from Australia's private and public sectors. Reflecting the Australian business landscape, 90% of responses were from SMBs (less than 200 employees). View the Full Report HERE.