the cyber-chasm: how the disconnect between the c-suite ... · a report from the economist...
TRANSCRIPT
A report from The Economist Intelligence Unit
Sponsored by
The cyber-chasm:How the disconnect between the C-suite and security endangers the enterprise
© The Economist Intelligence Unit Limited 20161
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Executive summary 2
Research methodology 3
Findings of the survey 4
Conclusion 10
Appendix: survey results 12
Contents
© The Economist Intelligence Unit Limited 20162
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
No company wants to be the next headline in
the aftermath of a massive data breach, so
you might think cyber-security strategies run
like well-oiled machines. Not so, according to
a new global survey by The Economist
Intelligence Unit (EIU), sponsored by VMware.
Instead, the research found a systematic
disconnect between C-suite executives and
senior technology leaders—a divide that can
imperil the security of the firm.
l Corporate leadership and security
executives do not share the same
commitment to cyber-security—cyber-
security ranks as the number one priority for
security leaders, but only number nine for
the C-suite.1
l The C-suite focuses on the strategic
implications of cyber-security—primarily the
impact of a cyber-attack on the firm’s
reputation or brand. The security function
takes a tactical focus on assets—customer
data, regulated information, apps, etc.
l The two segments are not in sync on the
priority of assets for protection—a significant
disconnect as many firms move to a flexible,
priority-based defence system.
l Over 30% of security professionals expect a
major and successful attack on the firm
within 90 days, whereas only 12% of C-suite
executives share that sense of urgency.
1 For the purposes of this survey, the Chief Information Officer was included in the security leadership segment. Please see Research methodology on the next page.
l This level of concern escalates—nearly 40%
of security executives, and 25% of C-suite
members, project a successful attack within
three years.
l One area of agreement is on the origins of
future threats; both segments worry about
new technologies—such as cloud
computing and BYOD (bring your own
device)—that act as points of entry for
unknown, unguarded-against threats.
l Security functions remain committed to
traditional security solutions such as firewalls,
identity management etc. Many are
pursuing a “defend all” approach, making it
difficult to prioritise defences.
l The C-suite, which makes budget decisions,
is not likely to allocate the budgets that the
security executives believe is necessary to
protect the firm, or that match the
expected escalation of threat levels.
This executive cyber-chasm creates
imperatives for both segments. The C-suite
needs to better understand the vulnerability of
their business, and in particular how threats
may escalate. The security/IT team needs to
bring itself into alignment with the C-suite’s
more strategic view of cyber-security within
the firm’s operations. Finally, the security
function must manage its expectations on the
funding that will be provided to support
cyber-defences, or adopt more flexible and
lower-cost solutions.
Executive summary
© The Economist Intelligence Unit Limited 20163
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
In January-February 2016, the EIU, sponsored by VMware, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
Research methodology
© The Economist Intelligence Unit Limited 20164
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Mismatched perceptions of urgency and risk Perhaps the most important decision a
company can make about cyber-security is its
importance. The C-suite and security
leadership simply do not agree on the priority
that it should be given.
By a large margin security executives rank
cyber-security as the number one corporate
initiative for their company. This is not
surprising—after all, this group is directly
responsible for corporate security strategies
and their careers will be on the line if a serious
breach occurs.
The disconnect is that despite years of news
reports about destructive data breaches at
leading firms, security ranks near the bottom of
the C-suite’s priority list. Only 5% of C-suite
executives consider it the highest priority
corporate initiative—second to last on a list of
ten major corporate initiatives. Instead, the
C-suite focuses on growth issues such as
acquiring customers and growing
internationally.
Marc Goodman is the founder of the Future
Findings of the survey
Source: Economist Intelligence Unit survey, 2016
CHART 1 Which of the following corporate initiatives has the highest priority in your company? Select one.(% respondents)
C-suite Security leadership
Growing internationally
Acquiring new customers
Supporting global growth
Ensuring regulatory compliance
Reducing costs
Fostering innovation and creativity
Launching new products and services
Meeting sustainability goals
Protecting against cyber-attacks
Hiring and keeping the best people
Protecting against cyber-attacks
Acquiring new customers
Ensuring regulatory compliance
Launching new products and services
Supporting global growth
Growing internationally
Fostering innovation and creativity
Reducing costs
Meeting sustainability goals
Hiring and keeping the best people
16
16
15
13
11
8
7
6
5
3
35
14
12
9
7
6
6
5
4
3
© The Economist Intelligence Unit Limited 20165
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Crimes Institute, and has consulted for
international law enforcement agencies. He is
not surprised by the C-suite attitudes. “Any
good CEO focuses on making more money,
while preventing losses is still seen as a
necessary evil,” he says. “Corporate risk
management is something that needs to be
managed, but it’s not something that CEOs
get up in the morning and feel excited about.”
But while it may not be a surprise that
cyber-security ranks below business growth on
the C-suite agenda, it also trails other
governance issues such as regulatory
compliance and sustainability.
This may be an indication that executive
boards are not giving security the attention it
deserves. This lack of commitment can have
direct implications for firms’ security posture, by
limiting funding and diminishing the impetus for
organisational change.
Total information security is an impractical
goal, so companies need to prioritise their
more valuable or vulnerable assets.
Unfortunately, this study reveals that the
C-suite and security leadership are not in sync
on what needs to be protected the most.
The C-suite’s priorities are clear –their
primary single concern is to safeguard the
reputation and brand of the firm. In contrast,
security executives are focused on the data
and the software—regulated data, customer
information, applications, services, etc.
Industry research corroborates these
findings. “Most institutions do not have enough
insight into what information assets they need
to protect with what priority,” according to Risk
and Responsibility in a Hyperconnected World,
a report from the World Economic Forum and
McKinsey & Company.2 “Going forward,
cybersecurity teams need to work with
business leaders to understand business risks
(for example, loss of proprietary information
about a new manufacturing process) across
the entire value chain and prioritize the
underlying information assets accordingly.”
This mismatch in priorities also speaks to a
broader disconnect between management
2 http://www.mckinsey.com/business-functions/business-technology/our-insights/risk-and-responsibility-in-a-hyperconnected-world-implications-for-enterprises
Source: Economist Intelligence Unit survey, 2016
CHART 2 What is the single most important asset in your company that needs to be protected from cyber-attacks? Select one.(% respondents)
C-suite priorities Security leadership priorities
Our reputation with our customers
Private intra-company communications
Strategic plans and initiatives
Regulated data
Customer information
Applications and services
Proprietary processes
Product specifications and pricing
Proprietary research
Employee information
Liquid financial assets that could be stolen
Regulated data
Customer information
Our reputation with our customers
Applications and services
Strategic plans and initiatives
Private intra-company communications
Proprietary processes
Employee information
Proprietary research
Liquid financial assets that could be stolen
Product specifications and pricing
25
14
12
12
10
8
6
6
4
3
1
25
20
16
14
7
6
5
4
3
1
1
© The Economist Intelligence Unit Limited 20166
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
and IT. The C-suite is thinking about the
consequences of the breach—a strategic
perspective. The security leadership remains
heavily focused on information, data and
applications—a tactical approach.
This is not just a difference of opinion—the
divergence manifests itself in the structure of
the firm’s defences (see chart 3).
The security function’s cyber-defence efforts
appear to track the priorities of the security
function—with less effort and resources
directed to the priorities of the company’s
leadership. Accepting that the C-suite knows
the broader interests of the firm, this implies
that the most key assets are under-protected.
Another glaring mismatch between business
and security leadership is in their relative
perception of the risk of a security breach.
For example, almost a third (31%) of senior
security executives believe that their company
is either extremely or very vulnerable to a
major cyber-attack within 90 days—an
alarming number in its own right. But only 12%
of C-suite members share this view and this
urgency. This is a serious disconnect between
those who lead their companies and those
who are charged with protecting it.
Similarly, 39% of security executives expect
that their company will suffer a major breach
within five years, versus just 27% of C-suite
executives.
There is, however, broad agreement on the
sources of cyber insecurity. Four out of ten
C-suite respondents (40%), and a third of
security leaders (34%), see cloud architecture
Source: Economist Intelligence Unit survey, 2016
CHART 3 Comparison of C-suite priorities and security implementation Select one.(% respondents)
C-suitePriority of assets to be protected
Security leadershipAssets—level of confidence in their protection
Our reputation with our customers
Private intra-company communications
Strategic plans and initiatives
Regulated data
Customer information
Applications and services
Proprietary processes
Product specifications and pricing
Proprietary research
Liquid financial assets that could be stolen
Regulated data
Customer information
Strategic plans and initiatives
Proprietary research
Our reputation with our customers
Proprietary processes
Applications and services
Private intra-company communications
Product specifications and pricing
Liquid financial assets that could be stolen
25
14
13
12
10
8
6
6
4
1
51
47
45
41
40
30
25
22
21
17
Source: Economist Intelligence Unit survey, 2016
CHART 4 A serious cyber-attack is one that succeeds in breaching your company’s defences and causes harm to the business. How likely is it that your firm will experience such an attack within the following time frames? (% respondents)
C-suite Security executives
Within 90 days
Within one year
Within three years
Within five years
12 31
23 40
25 38
27 39
© The Economist Intelligence Unit Limited 20167
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
as one of their company’s greatest sources of
security risk. There is similar agreement on
penetration through non-standard devices
(BYOD).
The C-suite clearly believes that cyber-
security activity is taking a toll on critical
functions—stifling innovation, slowing responses
to competitors, delaying the launch of new
products etc. Notably, they also see it as a
major diversion of budgeted funds and, above
all, a drain on management time and effort
(including their own).
The IT leadership needs to understand the
perspective of the C-suite—as important as
cyber-security is, it is one of many contending
corporate priorities. The C-suite is seeking to
balance its constraint with an effective
organisation. If the security executives are out
of sync with this holistic thinking, the
programmes they advance may be
underfunded, rejected, or simply not acted
upon by the larger organisation. This is another
disconnect that can lead to vulnerabilities
within the firm.
Source: Economist Intelligence Unit survey, 2016
CHART 5 What do you believe is the greatest risk or vulnerability of your firm to cyber-attack? Select one.
C-suite Security leadership
Cloud architecture
Penetration through non-standard devices (BYOD)
Undersized & underfunded security
Threats that move faster than our defences
Careless or untrained employees
Outdated security software
Penetration through suppliers/customers
Out of date internal systems
Ex-employees
Senior management that does not get security
Rogue employees
Threats that move faster than our defences
Cloud architecture
Penetration through non-standard devices (BYOD)
Careless or untrained employees
Outdated security software
Undersized & underfunded security
Out of date internal systems
Penetration through suppliers/customers
Ex-employees
Senior management that does not get security
Rogue employees
40
39
31
30
27
23
14
14
8
7
2
36
34
34
28
23
16
15
10
9
5
3
Source: Economist Intelligence Unit survey, 2016
CHART 6 How has the threat of cyber-attacks, and the effort it takes to mitigate it (cyber-security), impacted the current operations of your company?(% respondents)
C-suite Security executives
Absorbs too much management time
Reduces employee efficiency
Slows competitive response
Impedes product launches
Absorbs too much capital
Stifles collaboration
Impedes new market entry
Stifles innovation
54 25
46 23
45 22
45 20
43 23
33 24
33 26
32 24
© The Economist Intelligence Unit Limited 20168
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
The threats—perception of where future cyber-risk will come fromOne area where there is broad agreement
between the C-suite and security executives is
on the sources of future cyber-risk—the areas
of greatest risk or vulnerability to the firm.
Both groups share the highest levels of
concern around the growing adoption of
cloud architecture, along with new
vulnerabilities stemming from non-standard
hardware related to employee BYOD policies.
These are not so much threats in themselves,
but are instead the portals that future cyber-
attackers can enter through. What both
groups fear is the unknown—the potential to
create threats that we don’t know about yet.
These are the threats that cannot be
controlled.
While there is general agreement on future
threats, there is divergence on the ”threats
that move faster than our defences.” Security
leaders register a higher level of concern—36%
versus 30% for C-suite members—in this critical
category.
Again, this may indicate a dangerous lack
of appreciation by the C-suite on the rapid
mutation of the cyber-attack community.
The nature of cyber-defencesSecurity professionals understand they’ll
continue to play a cat-and-mouse game with
hackers. Whenever a defence emerges to
block the latest threat, sophisticated cyber-
thieves quickly unveil a new and often more
insidious exploit.
So it’s not surprising the commitment CIOs
and CISOs continue to hold for tactical
responses, such as firewalls, anti-virus software
and cloud-based security solutions. All of the
solutions presented are deemed essential to
security strategies by the security professional
respondents.
However, the C-suite does not appear to
share the same confidence in these
approaches. Across all categories, the C-suite
assigns significantly lower importance to these
solutions—and they are the ones who write the
cheques.
To be sure, most of these solutions will
remain essential, like locks on the front door of
a home. But in a world where the cyber-
security stakes are so high, tactical solutions
alone won’t stop data breaches.
“The traditional approach holds that we are
going to use anti-virus, firewalls and intrusion
detection to create big moats so that when
the barbarians attack, we’ll see them coming
and repel them,” Mr Goodman says. “That’s
an outdated model of security for today. The
new model acknowledges that the barbarians
Source: Economist Intelligence Unit survey, 2016
CHART 7 Threats that move faster than our defences (selected as future threat to the business) (% respondents)
C-suite executives
Security leadership
30
36
Source: Economist Intelligence Unit survey, 2016
CHART 8 Please indicate the importance of the following factors in your security strategy.(% respondents)
C-suite Security executives
Cloud-based security solutions
Firewalls
Anti-virus solutions
Mobile security
Post-incident response
Software back-up and recovery
Unified threat management
Identity & access management
End point solutions (eg VPN)
29 48
24 50
24 45
24 49
23 27
22 52
16 23
15 24
8 30
© The Economist Intelligence Unit Limited 20169
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
aren’t at the gate, they’ve overrun the gate
and it’s imperative for the CISO to actively
hunt them down and get them off the
network. It’s about remediation and resilience
because the bad guys are already here.”
Funding—paying for cyber-defencesFunding presents a real challenge to a
“defend everything” strategy. In every line of
defence, the C-suite demonstrates a
significantly lower commitment to fund these
projects. On average, their level of
commitment is less than half that of the
security leadership.
Threats grow more than budgetsHaving the C-suite and security staff on
different pages about the urgency, trade-offs
and nature of cyber-risks means they can’t
collectively do everything necessary to protect
against current and future exploits. For
example, the business leaders may not provide
the financial support needed to stop
sophisticated attacks. The survey illustrates this
with responses that show only modest funding
increases in the months ahead.
Clearly, the security professionals would like
to see additional financial resources to fight
today’s threats. In reality they may have to
manage escalating security risk with much
smaller budgets than they might like.
Source: Economist Intelligence Unit survey, 2016
CHART 9 Please indicate your firm’s funding priority for the following cyber-security solutions. (% of respondents who designated the category a funding priority)
C-suite Security executives
Firewalls
Mobile security
Software back-up and recovery
Cloud-based security solutions
Anti-virus solutions
Post-incident response
Identity & access management
Unified threat management
End point solutions (eg VPN)
12 31
11 35
10 34
9 29
9 28
7 16
6 20
4 14
2 17
Source: Economist Intelligence Unit survey, 2016
CHART 10 Respondents who foresee a large increase in cyber-security funding (more than 25%) (% of respondents who foresee a major increase in cyber-security funding)
C-suite Security executives
Current-year funding
Next-year funding
8 28
7 27
© The Economist Intelligence Unit Limited 201610
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Conclusion
Why is there a disconnect over something as
crucial as cyber-security?
One explanation lies in the different roles
and responsibilities of each group. The C-suite
sees the organisation holistically, as it tries to
balance the full range of business, technology
and operational matters. Historically, security
staff have followed a more tactical path as
they defend against highly organised, nation-
state attackers, as well as opportunistic
hackers and untrustworthy insiders.
But these differences alone don’t tell the
whole story. The research shows signs of wider
problems, including missed opportunities for
better communication between security staff
and senior executives.
The implications are clear. Enterprises need
a united front against the growing number
and sophistication of attacks, and any
disconnect between key stakeholders about
cyber-vulnerabilities and the urgency of
responses could result in company
management not providing adequate
resources and budgets for security officials to
succeed. The challenge is particularly
significant given the ambitious, multi-defence
security programmes that security experts are
advocating today. Potentially, this could delay
responses to existing threats or keep
organisations from proactively taking steps
against emerging risks.
Fortunately, security professionals can foster
closer alignment by building on their status as
protectors of critical corporate assets. First,
security personnel must redouble efforts to
inform the C-suite of the growing seriousness of
cyber-threats. At the same time, security
specialists must grasp the reality that they will
likely have to depend on existing programs
and relatively modest budget increases to
effectively defend against a rising onslaught of
more-sophisticated cyber-attacks.
CIOs and CISOs must incorporate the wider
perspective of senior business executives into
their security planning so they can
demonstrate to the C-suite how cyber-security
supports the firm’s core strategic goals.
“There’s this major disconnect between
people who want to build companies and
those whose job it is to protect them because
the protectors haven’t done a good job in
framing cyber-security as a key business
enabler,” says Mr Goodman. “Cyber-security
shouldn’t be seen as the thing that costs you
money. It’s something that will help you adopt
new technologies so you can enhance
corporate growth by delivering new products
and services to your customers.”
Security executives need to configure their
cyber-defences to match the needs of the
firm. “Current models for protecting institutions
from cyber-attacks are becoming less and less
effective,” according to the World Economic
Forum and McKinsey report. “They are
technology-centric and compliance-driven.
They do not effectively involve senior business
leaders. They are highly manual and require
specialized talent. As a result, they do not
scale, given an increasing volume of attacks,
and they place too high a burden on the
© The Economist Intelligence Unit Limited 201611
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
business. All too often security is the choke
point for any innovative business initiative.”
Finally, just as threats are escalating, so are
the responses of firms. Effective cyber-
defences are going to involve all personnel,
cross siloes, and even extend to customers
and suppliers. This absolutely requires the
alignment and the commitment of the C-suite.
This is a chasm that the security leadership will
need to cross.
© The Economist Intelligence Unit Limited 201612
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Appendix: survey results
Percentages may
not add to 100%
owing to rounding or
the ability of
respondents to
choose multiple
responses.
Protecting against cyber-attacks
Acquiring new customers
Ensuring regulatory compliance
Growing internationally
Supporting global growth
Fostering innovation and creativity
Reducing costs
Launching new products and services
Meeting sustainability goals
Hiring and keeping the best people
Which one of the following corporate initiatives has the highest priority in your company? Select one.(% respondents)
16
15
12
12
10
9
8
8
7
3
© The Economist Intelligence Unit Limited 201613
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Not confident at all
Somewhat not confident
Slightly confident
Very confident Extremely confident
Don’t know
Customer information
Regulated data (eg healthcare records)
Private company communications
Proprietary processes
Applications and services
Strategic plans and product launches
Product specifications and pricing
Proprietary R&D
Liquid financial assets that can be stolen
Our reputation with our customers
What is the single most important asset in your company that needs to be protected from cyber-attacks? Select one.(% respondents)
3 21 35 40 1
4 20 33 42 2
1 10 28 38 21 2
1 7 27 38 26 1
1 7 27 40 24 2
4 22 34 38 1
2 9 30 38 20 2
5 22 35 36 2
2 9 29 40 19 1
3 22 33 40 1
Our reputation with our customers
Regulated data (eg patient healthcare records, classified information, etc)
Customer information
Private intra-company communications
Applications and services
Strategic plans and launches
Proprietary processes
Product specifications & pricing
Proprietary research and development
Employee information
Liquid financial assets that could be stolen
Don’t know
What is the single most important asset in your company that needs to be protected from cyber-attacks? Select one.(% respondents)
20
19
15
9
9
9
6
4
4
3
1
1
© The Economist Intelligence Unit Limited 201614
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Not at all vulnerable
Not very vulnerable
Somewhat vulnerable
Very vulnerable
Extremely vulnerable
Don’t know
What is your perceived level of risk facing your company from cyber-attack? Select one.(% respondents)
8
47
26
12
7
0
Very unlikely
Somewhat unlikely
Neither likely nor unlikely
Somewhat likely
Very likely
Within three months
Within one year
Within three years
Within five years
A serious cyber-attack is one that succeeds in breaching your company’s defences, and causes significant harm to the business.How likely do you think your firm will experience such an attack in the following time frames? Select one for each row.(% respondents)
15 43 20 16 7
11 31 24 22 11
8 26 33 22 11
7 25 35 22 12
Cloud architecture
Threats that move faster than our defences
Penetration through non-standard employee devices (BYOD)
Employees who are careless or untrained in cyber-security
An undersized and underfunded security team
Outdated security software and systems
Poor or out-of-date internal systems (authentication, passwords, etc)
Penetration through external partners such as suppliers or customers
Senior management that does not understand or is uninformed about cyber risk or security
Ex-employees
Rogue employees
None of the above
Don’t know
What do you believe is the greatest risk or vulnerability of your firm to cyber-attack? Select the top three. (% respondents)
35
34
32
27
24
20
15
13
7
7
2
2
1
© The Economist Intelligence Unit Limited 201615
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Theft of customer data
Malware attacks that infect important company data and records
Theft of intellectual capital—proprietary process designs
Theft of intellectual capital—product designs
Public disclosure of sensitive intra-company communications
Cyber theft of financial assets (eg corporate cash accounts)
A breach that becomes public in the media
Use of “ransomware” to extort payment
Denial of service attacks that bring your online systems down
None of the above
Don’t know
Which one of the following types of attack, if successful, would cause the greatest harm to your company? Select one. (% respondents)
27
18
11
10
9
9
5
4
4
1
1
Theft of customer data
Malware attacks that destroy important company data and records
Cyber-theft of financial assets (eg corporate cash accounts)
Public disclosure of sensitive intra-company communications
Any breach that creates public media coverage
Theft of intellectual capital—product designs
Theft of intellectual capital—proprietary process designs
Denial of service attacks that bring your online systems down
Use of “ransomware” to extort payment
None of the above
Don’t know
Which one of the following do you think is the most likely to seriously attack your firm within the next year? Select one. (% respondents)
22
20
12
9
6
6
6
4
1
10
3
© The Economist Intelligence Unit Limited 201616
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Losing our customer’s trust as a safe company to do business with
Loss of competitive information such as pricing or product plans
Loss of intellectual capital to competitors
Regulatory action due to loss of restricted data
Public disclosure of sensitive internal discussions
Loss of significant internal funds due to theft
Litigation due to loss of third-party data
Our online sites being taken down for significant periods
None of these
Don’t know
Which of the following would cause the most damage to your company due to a successful cyber-attack? Select one. (% respondents)
37
24
14
9
8
3
1
1
1
1
No impact Low impact Medium impact
High impact Very high impact
Don’t know
High cost of funds diverted to cyber security
Stifling employee innovation
Slowing response time to customers or competitors
Impeding the sharing of information amongst employees
Reducing the everyday efficiency of employees
Impeding the launch of new products
Ability to enter new markets
Management time and effort
How has the threat of cyber-attacks, and the effort it takes to mitigate it (cyber-security), impacted the current operations of your company? Select one in each row.(% respondents)
16 14 34 24 9 2
18 19 27 23 8 5
16 15 33 25 8 3
15 16 32 27 8 3
12 18 33 27 7 2
17 16 32 27 6 3
20 15 29 27 9 1
11 23 27 27 11 1
© The Economist Intelligence Unit Limited 201617
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Strongly disagree
Somewhat disagree
Neither agree nor disagree
Somewhat agree
Strongly agree Don’t know
Cyber-risk is a challenge that our company can effectively meet
Our cyber-security system should be capable of detecting and stopping any cyber-attack
Cyber-security should be a standing item on board meeting agendas
Cyber-security is and should remain the domain of IT security specialists
Effective cyber-security can be achieved with enough investment in hardware and software
Effective cyber-security can be achieved without the involvement of the senior management
Our company’s cyber-security capabilities evolve quickly enough to keep pace with cyber-risk
To what extent do you agree with each of the following statements? Select one in each row.(% respondents)
1 6 20 39 32 2
1 8 26 41 22 3
1 8 27 41 21 2
1 5 21 36 35 2
6 19 37 35 3
1 10 23 38 26 3
1 7 27 39 24 3
Strongly disagree
Somewhat disagree
Neither agree nor disagree
Somewhat agree
Strongly agree
Don’t know
Please state your level of agreement with the following statement. “We now have enough resources (funding, people and technology) dedicated to cyber-security to meet the current cyber-risk challenge.” Select one. (% respondents)
0
3
10
45
41
1
Budgets should decrease
No change
Budgets should be increased by about 10%
Budgets should be increased by about 25%
Budgets should be increased by about 50%
Budgets should be increased by about 75% or more
Don’t know
How much, if at all, should your company’s budget for cyber-security be increased in 2016? Select one. (% respondents)
0
3
62
26
5
0
3
© The Economist Intelligence Unit Limited 201618
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Strongly disagree
Somewhat disagree
Neither agree nor disagree
Somewhat agree
Strongly agree Don’t know
Our cyber-security personnel have the necessary skills to maintain cyber-security
Recruiting and retaining specialised personnel is a challenge in maintaining effective cyber-security at our firm
To what extent do you agree with the following statements assessing your current security personnel needs? Select one in each row.(% respondents)
1 7 33 56 3
5 21 32 33 9
Strongly disagree
Somewhat disagree
Neither agree nor disagree
Somewhat agree
Strongly agree
Don’t know
To what extent do you agree your current security team and systems can meet the challenge of cyber-attacks? Select one. (% respondents)
0
1
7
32
59
1
Strongly disagree
Somewhat disagree
Neither agree nor disagree
Somewhat agree
Strongly agree Don’t know/ Not applicable
Our company’s security strategy is to focus on security tools—firewalls, antivirus, passwords etc—that block current attacks
Our company’s security strategy focuses on a security architecture that provides comprehensive protection against cyber-attacks
Please provide your assessment of your company’s security strategy by selecting one response for each statement. (% respondents)
1 9 43 45 2
1 5 30 61 3
Strongly disagree
Somewhat disagree
Neither agree nor disagree
Somewhat agree
Strongly agree Don’t know/ Not applicable
I have confidence that our security team can protect the company from cyber-attacks
Our security team effectively communicates to the board/C-suite on cyber-security issues
I believe that our company’s board/C-suite provides the right amount of time and attention to cyber-security issues
I believe our board/C-suite is appropriately informed on cyber-security issues
Please provide your assessment of your company’s current cyber-security capabiilties. Select one in each row. (% respondents)
5 15 41 33 6
5 21 33 36 5
5 11 28 50 5
5 14 29 46 6
© The Economist Intelligence Unit Limited 201619
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Very unimportant
Somewhat unimportant
Neither important nor unimportant
Somewhat important
Very important
Don’t know
How important is fiduciary liability in board/C-suite decisions about cyber-security? Select one. (% respondents)
0
1
13
22
63
1
Not a factor Not important
Important Very important
Critically important
Don’t know
Firewalls
Identity and access management
End point solutions (eg VPN)
Unified threat management
Cloud-based security solutions
Anti-virus solutions
Mobile security
Post-incident response
Data software (back-up and recovery)
Please indicate the importance of the following factors in your security strategy. Select one in each row.(% respondents)
4 24 32 39 1
6 34 38 21 1
1 6 31 38 24 1
8 32 38 20 2
3 24 32 38 2
5 24 34 35 3
1 6 22 32 38 1
1 6 29 37 24 2
3 25 31 39 2
© The Economist Intelligence Unit Limited 201620
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Funding will be reduced
Funding will remain the same
Funding will increase modestly
Funding will increase significantly
Funding priority increase
Firewalls
Identity and access management
End point solutions (eg VPN)
Unified threat management
Cloud-based security solutions
Anti-virus solutions
Mobile security
Post-incident response
Data software (back-up and recovery)
Please indicate your firm’s funding priority for the following cyber-security solutions by selecting one response for each solution. Select one in each row.(% respondents)
1 32 32 15 21
2 31 40 14 13
2 33 39 15 11
2 38 39 13 9
3 27 33 17 20
2 35 27 18 18
5 29 28 15 23
4 34 38 12 11
2 28 32 15 22
Decrease in budget
Stay the same
0-25% increase
26-50% increase
51-75%increase
76-100%increase
>100% increase
Don’t know
Last year
Current year
Next year
Please provide an estimate of the change in your company’s annual security budget in the past year, current year and next year. Select one in each row. (% respondents)
26 50 20 2 1
22 48 19 5 6
21 49 19 4 7
© The Economist Intelligence Unit Limited 201621
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Decrease Stayed the same
0-25% increase
26-50% increase
51-75%increase
76-100%increase
>100% increase
Don’t know
Total attacks
Theft of consumer data
Use of ransomware to extort payment
Denial of service attacks
Theft of intellectual capital
Malware attacks that destroy important company data and records
Public disclosure of important company intra-communications
Cyber theft of financial assets (eg corporate cash accounts)
Please provide an estimate of the change in cyber-attacks on your firm in the past year over the previous year. Select one in each row.
1 23 49 20 5 1 1
1 25 48 18 6 1 1
1 25 48 19 6 1
1 27 49 16 6 1
1 26 46 18 7 1
1 27 46 20 5 1 1
1 25 46 19 6 1 2
1 25 46 18 7 2
Australia
China
India
Japan
France
Germany
Netherlands
UK
US
Brazil
Mexico
Sweden
Denmark
In which country are you personally located? Select one.(% respondents)
9
9
9
9
8
8
8
8
8
7
7
4
3
$500m to $1bn
$1bn to $3bn
$3bn to $5bn
$5bn to $10bn
Over $10bn
What are your organisation’s global annual revenues in US dollars? Select one.(% respondents)
67
22
9
2
0
© The Economist Intelligence Unit Limited 201622
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Board member
CEO/President
Chief financial officer/Head of finance
Chief strategy officer/Head of strategy
Chief marketing officer/Head of marketing
Chief operating officer/Head of operations
Chief information/technology officer/Head of technology/IT
Chief risk office/Head of risk
Chief security officer/Head of security
Chief sales officer/Head of sales
Chief data officer
Other C-level executive
Managing director
SVP/VP/Director
Which of the following best describes your title? Select one.(% respondents)
0
1
6
1
5
6
19
3
4
3
1
1
0
50
IT/Technology
Marketing and sales
Operations and production
General management
Finance
Business development
Security
Risk
Strategy
Supply-chain management
Human resources
R&D
Legal
Other
What is your main functional role? Select one.(% respondents)
26
16
15
10
9
5
5
4
4
3
1
1
0
2
Entertainment, media and publishing
Healthcare, pharmaceuticals and biotechnology
Telecoms
Manufacturing
Transportation, travel and tourism
Consumer goods
Retailing
Chemicals
Financial services
Automotive
Agriculture and agribusiness
Construction and real estate
IT and technology
Logistics and distribution
Aerospace and defence
Energy and natural resources
Government/Public sector
Professional services
Education
What is your primary industry? Select one.(% respondents)
9
9
9
8
8
7
7
6
6
5
4
4
4
4
2
2
2
2
1
© The Economist Intelligence Unit Limited 201623
The cyber-chasm How the disconnect between the C-suite and security endangers the enterprise
Whilst every effort has been taken to verify the
accuracy of this information, neither The Economist
Intelligence Unit Ltd. nor the sponsor of this report can
accept any responsibility or liability for reliance by
any person on this report or any of the information,
opinions or conclusions set out in the report.
London20 Cabot SquareLondon E14 4QWUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]
New York750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]
Hong Kong6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]
GenevaBoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: [email protected]