Security is a board-level issue. While the high media focus on data breaches in recent years has played a role in dragging security up the agenda, there are some far more pragmatic and impactful drivers behind this trend: failing to deal with security in the manner that is appropriate to the enterprise's operational context and appetite for risk results in the potential to damage brand reputation, customer numbers and the share price.
It is no wonder that security risk management is dealt with at the highest levels. In fact, as shown in a recent survey conducted by IDC, FireEye and DXC featuring 500 senior European IT and security decision makers, more than 80 percent of respondents involve the CEO as part of the cyber risk escalation framework. But who else does best practice indicate ought to be involved in this process?
IDC's survey indicates that there are two roles in particular whose involvement have an impact on driving up maturity levels: the COO, and a non-executive board member focused on risk/security/compliance.
Let's look at the role of COO in the cyber escalation process first. At the lowest levels of maturity, the majority of respondents (60 percent) do not involve the COO in this framework. After all, the COO is concerned with the operations of the business lines, not "back-office" activities such as security, right? However, as we move up through the maturity levels a different picture emerges. When we move up to the midrange maturity categories, two-thirds of respondents involve the COO. For the most mature respondents, this figure rises to 87 percent.
So what is the story here? The answer starts to become clear when we consider the responses to another question in our survey. Specifically, our study shows that the more mature an organisation is, the earlier that security will be involved in any new business initiative. In fact, IDC would suggest that best practice is to involve security right from the very beginning. By extension, this makes the COO within a "cyber-mature" enterprise a key stakeholder in the handling of security. This provides support when launching and handling new projects within the lines of business, in a fashion that reduces exposure to risk. It also allows them the flexibility to react if and when a breach occurs. Importantly, COOs ask different questions. They can embed security — or at least secure thinking — in the day-to-day business operations, thus significantly improving overall exposure to threats.
The second key role to highlight here is the non-executive board member that is focused on risk/security/compliance. For the sake of brevity, let's refer to them as the non-executive subject matter expert (or non-exec SME). As with the COO, there is a marked increase in the involvement of such a role as we move up the maturity chain. In this case, it is an even starker contrast – where 29 percent of respondents at the lowest level of maturity involve such a role in the cyber risk escalation framework, this rises to 91 percent at the highest level.
The reason for this distinction is perhaps less clear than for the COO, but there does appear to be one key explanation. This time, it is a question of communication and prioritisation within the escalation framework. Specifically, there remains a risk of a disconnect between the technically minded security specialists and the more business-orientated people who populate the rest of the escalation framework. This is particularly evident at the board level, which as we've seen tends to sit at the top of this process.
An enduring challenge for security professionals is the ability to "speak business", of being able to express the nature and severity of a cyber threat to those without a technical background. When the non-exec SME comes into the picture, they bring the ability to act as a bridge between the board and the security team. Individuals possessing these skills – of leadership and communication, and being able to span the gap between the technical experts and the lines of business – are rare. Consequently, they play a key role for respondents at the upper end of the cyber maturity spectrum.
To conclude, the CEO, COO and non-exec SME are by no means the only roles to sit within a cyber escalation framework. In fact, our survey would indicate that the more mature an enterprise is in its approach to security, the more key stakeholders they are likely to involve in this process. However, that is not to say that senior executives ought to be thrown at the framework willy-nilly, which runs the risk of making the escalation process too complex. Ultimately, the burden of responsibility must fall on the CEO. However, consideration must be given to how this escalation framework ought to be shaped so that the CEO is presented with the right information with which to make a decision, and in a format that is interpretable, so it can then be disseminated across the business in a consistent fashion.
Complete the IDC Cyber Risk Assessment for help making informed decisions around cyber risk strategy and to understand the benefits associated with increasing your readiness in the face of evolving threats.
Dominic Trott is research manager for IDC's European Security Research team, covering both products and services.