securing the c-suite: cybersecurity perspectives from the boardroom
TRANSCRIPT
©2015 IBM Corporation 1 18 February 2016
Cybersecurity perspectives from the boardroom and C-Suite Securing the C-Suite
Carl Nordman, IBM Institute for Business Value Diana Kelley, Executive Security Advisor, IBM Security
Today’s panelists
Carl Nordman Research Director IBM Institute for Business Value https://securityintelligence.com/author/carl-nordman/ https://www.linkedin.com/in/carlnordman
Diana Kelley Executive Security Advisor IBM Security https://securityintelligence.com/author/diana-kelley https://www.linkedin.com/in/dianakelleysecuritycurve
Why survey the C-Suite on cybersecurity? Cybercrime is an insidious threat that has reached crisis levels. Though hard to quantify with precision, estimates of the cost of cybercrime to the global economy may range from $375 billion USD to $575 billion per year.
• Reputational damage, financial loss, national security concerns, loss of intellectual capital, to name just a few, characterize some of the risks the C-suite is taking serious notice of
• Historically considered a technical issue within the domain of the IT department, security is now a central topic within operations, across the C-suite and elevated to the board level
The objective of this study is to gain a perspective on Cybersecurity through the lens of the executive suite to gauge their level of understanding and engagement with cybersecurity risks and practices and contrast that against CISO concerns and known issues uncovered by Security experts.
©2015 IBM Corporation 18 February 2016 4
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
Agenda
©2015 IBM Corporation 18 February 2016 5
We surveyed over 700 C-suite executives in 29 countries, across 9 roles, representing 18 industries
Q4 . In what country is your enterprise headquartered? Select one.
IBM Confidential
Sample Size 702
North America
Central and South America
Western Europe
Middle East and Africa
Central and Eastern Europe
Asia Pacific
Japan
24%
24%
12%
4% 17%
12%
7%
©2015 IBM Corporation 18 February 2016 6
Data was collected using a survey with 20 questions for all C-suite participants and an additional 3-5 specific to each role
Questions asked across
C-suite roles CEO
CHRO
! 5 Demographic
! 5 Risk awareness
! 5 Capability and preparation
! 5 Governance
Role Specific Examples ! Cybersecurity importance relative to
other strategic issues
! Willingness to share information (internally and externally)
! Deployed employee education
! Protected critical employee personal sensitive data
CFO/CRO ! Degree security is incorporated into
ERM plans
! Protected critical financial and risk data
©2015 IBM Corporation 18 February 2016 7
Industry
There is a balanced representation across company size, industry and C-suite role
Over $10B
$500M - $1B
$1B – $10B
5%
45%
15% Chief Executive Officer
Chief Financial Officer
Chief Information Officer
Chief Marketing Officer
12%
Chief Human Resource Officer
Chief Legal/Compliance Officer
Chief Risk Officer
Chief Operations Officer
4% Chief Supply Chain Officer
13%
13%
13%
13%
12%
12%
8%
Company size in $USD annualized revenue
C-suite role
Under $500M 35%
Sample Size 702
©2015 IBM Corporation 18 February 2016 8
Agenda
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
©2015 IBM Corporation 18 February 2016 9
IBM’s 2015 Global C-Suite study revealed IT security risks have risen to become a top concern
IBM 2015 C-Suite Study: Source: Q1.4 Which of the following technologies will revolutionize your business in 3 to 5 years? [Rank up to 3] cut by Q2.3 Which of the following risks do you think may occur in 3 to 5 years as a result of the technology you ranked #1 in question 1.4? Rake-weighted n=5247
This is a marked change from just two years ago, when security concerns made just a blip on their radar screens.
Disruptive technologies where IT Security risk was selected as #1 Top Concern
• Mobile solutions • Cloud computing • Smart, connected (IoT) • Cognitive computing • Advanced manufacturing technologies • Man-machine hybrids
Greatest risks with emerging, disruptive technologies
©2015 IBM Corporation 18 February 2016 10
CxOs’ consistent IT risk concerns across both studies masks a prevailing issue that legacy vulnerabilities still remain high
The latest “technologies du jour” such as mobile are capturing more Executive level attention, despite the fact that there are, currently, fewer known incidents through these channels than others (e.g. legacy applications, vendor/partner system integration points, network security).
Admittedly, legacy infrastructure vulnerabilities remain a top of concern for all. They are exacerbated by emerging technologies (e.g. API Security).
©2015 IBM Corporation 18 February 2016 11
Response
Seventy-five percent of CxOs believe a comprehensive cybersecurity program is “important to extremely important”
Prevention
Detection
Remediation
76%
74%
78%
77%
Q12 . How important are the following elements of a cybersecurity plan in each of the areas described below? Please rate each item below on a scale of 1 to 5, with 1 being “Not at all important”, 5 being “extremely important”, or “Don’t know”.
Sample Size = 691
% of C-suite indicating cybersecurity plan components are important to
extremely important
Weighted average response for whole cybersecurity plan is
important to extremely important
75%
©2015 IBM Corporation 18 February 2016 12
Greater than 75%
On average the C-suite may be overstating the probability of a significant cybersecurity incident occurring at their company
Already happened
It’s inevitable
50%-75%
8%
1%
6%
C-suite view of the probability of a significant cybersecurity incident in
the next 2 years
C-suite weighted average view of the probability of a significant cybersecurity
incident in the next 2 years
38%
Q9 . What do you believe is the probability of a significant Cyber Security incident affecting your enterprise in the next 2 years? Note, “significant” is defined as an event that would cause a material disruption to operations, customers, vendors. Select one. 1: 2015 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by IBM, independently conducted by Ponemon Institute LLC, May 2015.Page 20, figure 15
Sample Size = 702
Over 0% to 25%
25%-50%
0% probability
23%
51%
5%
6% The 2015 “Cost of Data Breach
Study” estimated the probability of a breach resulting in the theft of 10,000+ records over 2 years
to be about 22%1
probability
©2015 IBM Corporation 18 February 2016 13
Half or more of CxOs acknowledge the risks of industrial espionage and organized crime but understate others
50% 32% 26%
54%
Riskiest threat actors selected by C-suite respondents
Current/former vendors
Foreign governments
Organized crime groups
Competitors outside industry
Domestic government
Organized terrorist groups
Rogue individuals
Current/past employees Competitors in industry
19% 17%
23%
70%
Q7: Rank the top three entities that you believe represent the most significant threats to Cyber Security for your enterprise, with 1 being most significant. 1: UNODC Comprehensive Study on Cybercrime 2013 2: IBM 2015 Cyber Security Intelligence Index - https://securityintelligence.com/economic-espionage-the-global-workforce-and-the- insider-threat/
Sample Size = 702
8%
• 80% of material threats arise from organized crime groups1
• 31.5% of data breaches are attributable to malicious insiders (employees, contractors, vendors)2
• 23.5% of data breaches are due to inadvertent actors, (insider errors, non-adherence to policy )2
On average, they overstate the risk from Rogue actors and understate the
risk from employees, foreign governments and industrial espionage
©2015 IBM Corporation 18 February 2016 14
Agenda
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned the most prepared
Recommendations: C-suite considerations for 2016 and beyond
©2015 IBM Corporation 18 February 2016 15
While a majority of CEOs agree more collaboration is needed with government, industry and across borders, more than two-thirds are unwilling to participate in that collaboration
CEO agreement with need for external collaboration with various groups
CEO reticence to participate in sharing incident information with them
Q2 – CEO: To what extent are you willing to disclose Cyber Security incidents with the following stakeholders on a scale of 1 to 5 with 1 being not at all and 5 being extensively. Externally = Vendors, Regulators, Industry Competitors, Third Party Security Experts Q3-CEO: On the following Cyber Security related actions, please indicate if you agree or disagree with each statement
Sample Size = 87
©2015 IBM Corporation 18 February 2016 16
On average the C-suite appears highly confident in the veracity of their cybersecurity plans
% C-suite respondents by role that report the cybersecurity strategy of their company is well established
70% 66% 63%
76%
59% 55% 51%
61%
77%
CEO
CMO
CIO
CHRO
CFO
CLO
CRO
CSCO
COO
C-suite average response that the cybersecurity strategy of
their company is well established
65%
©2015 IBM Corporation 18 February 2016 17
In light of responses on the degree of C-suite engagement on cybersecurity issues, that confident view starts to erode
% C-suite respondents by role that report they are very engaged in security
threat management discussions
% of C-suite highly engaged in
cybersecurity threat management
40%
% of C-suite agree cybersecurity plan
incorporates C-suite collaboration
31%
56% 48% 45%
56%
43% 41% 38%
43%
57%
CFO
CMO
CIO
CRO
CHRO
CEO
CSCO
CLO
COO
High Engagement
Low to No Engagement
44% 52% 55%
44%
57% 59% 62%
57%
43%
©2015 IBM Corporation 18 February 2016 18
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
Agenda
©2015 IBM Corporation 18 February 2016 19
Methodology to cluster effectiveness of C-suite on Cyber Security across 7 factors
3 Strategic components: Q10.1 Evaluating potential security issues across all initiatives (C-Suite collaboration) Q10.2 Indentifying critical enterprise data (the Crown Jewels) Q10.3 Developing an effective response plan in the event of a breach (internal &
external)
4 Tactical components: Q13.1 Prevention: Having necessary prevention practices and tools in place Q 13.2 Detection: Deploying continuous monitoring & detection tools Q13.3 Response: Implementing a comprehensive response plan Q13.4 Remediation: Implementing remediation plans to strengthen security
We asked respondents how they have prepared strategically and
tactically along these factors and used responses to these questions to see if clusters emerged, by capability.
©2015 IBM Corporation 18 February 2016 20
An analysis of the responses to these specific questions revealed three distinct clusters
Sample Size = 702
Q10. To what extent has your organization established and implemented Cyber Security plans and capabilities across your enterprise? Please rate each item below [Strategic Plan, Data Protected, Response Plan ready] , on a scale of 1 to 5, with 1 “Not at all”, 5 being “Extensively” Q13 . Considering your entire enterprise, how effective are current Cyber Security plans in each of the areas described below [Prevention, Detection, Response, Remediation]? Please rate each item below on a scale of 1 to 5, with 1 “Not at all effective”, and 5 being “extremely effective”
©2015 IBM Corporation 18 February 2016 21
Companies with a “cybersecure” C-suite are more than twice as likely to have a security office and have appointed a CISO
©2015 IBM Corporation 18 February 2016 22
A “cybersecure” C-suite is more likely to be governed with C-suite collaboration built into the plan
©2015 IBM Corporation 18 February 2016 23
A “cybersecure” C-suite provides far more transparency and communicates more with the Board of Directors
©2015 IBM Corporation 18 February 2016 24
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
Agenda
©2015 IBM Corporation 18 February 2016 25
1. Understand the risks
2. Collaborate, educate and empower
3. Manage risk with vigilance and speed
A set of three recommendations emerged for the C-suite to consider as they evolve their cybersecurity capabilities
©2015 IBM Corporation 18 February 2016 26
Learn more about the study: Securing the C-Suite
Visit ibm.com/security/ciso to download the report
©2015 IBM Corporation 18 February 2016 27
Learn more about IBM Security
countries where IBM delivers managed security services
industry analyst reports rank IBM Security as a LEADER
enterprise security vendor in total revenue
clients protected including…
130+
25
No. 1
12K+
90% of the Fortune 100 companies
Join IBM X-Force Exchange xforce.ibmcloud.com
Visit our website ibm.com/security
Watch our videos on YouTube IBM Security Channel
Read new blog posts SecurityIntelligence.com
Follow us on Twitter @ibmsecurity
©2015 IBM Corporation 18 February 2016 28
Learn more about the IBM Institute for Business Value
For more information To learn more about this IBM Institute for Business Value study, please contact us at [email protected]. Follow @IBMIBV on Twitter, and for a full catalog of our research or to subscribe to our monthly newsletter, visit: ibm.com/iibv Access IBM Institute for Business Value executive reports on your mobile device by downloading the free “IBM IBV” app for your phone or tablet from your app store. The right partner for a changing world At IBM, we collaborate with our clients, bringing together business insight, advanced research and technology to give them a distinct advantage in today’s rapidly changing environment. IBM Institute for Business Value The IBM Institute for Business Value, part of IBM Global Business Services, develops fact-based strategic insights for senior business executives around critical public and private sector issues.
THANK YOU
©2015 IBM Corporation