If we take companies at their word, they’re more committed to cybersecurity than ever. And so they should be – cyber attacks have never been so sophisticated or potentially damaging.
But beyond all the platitudes, are companies actually committed to cybersecurity? If so, why do only 5% of the latest Fortune 100 companies feature a security professional in their executive leadership? And what does this lack of boardroom or C-suite representation tell us?
In this article, we’ll explore the gap between what companies say about their cybersecurity commitments, and what they actually do in practice. Then, we’ll offer practical suggestions on how to champion a culture of cybersecurity no matter who has a seat at the table.
Let’s start with a fundamental question.
Cybersecurity is crucial – but do companies actually care?
‘We remain committed to customer privacy and security.’ Every time companies announce a security incident, they say these words.
But if companies are so committed to cybersecurity, why are they always getting scammed?
In 2023, for example, there were 3,122 major reported data breaches in the US alone, affecting the data of an estimated 353 million users in total. That’s a lot of successful cyber attacks for such a security-conscious group of organizations.
Of course, companies saying one thing and doing another is hardly new. What makes this situation different is the scale of the threat of phishing, data breaches, and other cyber attacks – and the grave consequences of these attacks for customers and shareholders.
Let’s stick with the data breach example. Each year, 83% of US organizations report being the victims of at least one breach, with each breach costing an average of $9.44 million USD. For publicly-traded companies, these breaches also wipe out an average of 7.5% in stock value. In competitive markets, these consequences aren’t just serious – they’re existential.
There are, however, positive signs in how leaders now view cybersecurity. Whereas company boards might once have viewed the threat of data breaches and other cyber attacks as something for IT to deal with, 88% of boards today consider cybersecurity to be a broader business risk. This means they’re more likely to give these threats the time and attention they deserve.
Unfortunately, there’s one cybersecurity metric that still refuses to budge.
Why are so many security leaders still shut out of the C-suite?
Despite increased awareness of the importance of cybersecurity, the majority of companies still don’t feature security professionals (Chief Security Officers or Chief Information Security Officers) in their C-suites or boards of directors. According to a 2022 study, just 12% of all CISOs have a company board seat.
But the situation could be worse – some estimates suggest 45% of companies don’t have a CISO at all. In fact, the smaller the organization, the more likely it is to operate without a CISO or CSO: While only 10% of organizations with 5,000+ employees are operating without these roles, this figure is 52% for mid-sized organizations, and 64% for small organizations.
So, when companies are touting their commitment to cybersecurity in public statements and charters, why are so few security leaders given a seat at the table? Is it because executives don’t value security as much as other functions, such as finance or HR?
This might be one factor – but there’s also the question of aptitude: according to some assessments, only one in ten CISOs are actually board-ready. And with the average board size of S&P 500 companies being around 11 people, there are only so many seats to go around.
This is why it’s so important for companies to support CISOs and CSOs in their ongoing professional development. This way, when the time comes for them to take a seat at the C-suite or boardroom table, they’ll be ready to champion great cybersecurity leadership.
C-Suite or not, CISOs need to champion great cybersecurity leadership
As with every aspect of company operations, people look to leadership for guidance on cybersecurity. And that includes CISOs and CSOs, whether they’re on your board or not. Here are three key steps to champion a great culture of cybersecurity awareness.
Step #1: Champion your cybersecurity strategy
CISOs and CSOs set the tone when it comes to cybersecurity awareness and education, ensuring basic practices (such as compliance with NIS2 requirements) are reflected in core systems and processes. That’s why it’s crucial for them to own the development of cybersecurity strategies – especially when studies suggest only 40% of strategies are developed by security professionals.
So, own your cybersecurity strategy, and make sure company leadership gets behind it too.
Step #2: Demonstrate your ability to manage a crisis
Unfortunately, a lot of people don’t have a lot of confidence in company executives when it comes to managing cybersecurity risks: for example, one study shows only 30% of directors trust their board’s ability to oversee a crisis. And who can blame them? Board members and C-suite members don’t always have the expertise necessary to respond to cyber attacks – which helps explain why it can take so long for companies to publicly acknowledge data breaches.
CISOs and CSOs can build confidence in company cybersecurity leadership by taking accountability for managing risks and visibly promoting incident response plans. They can also help to put a face on cybersecurity culture by being contact points for questions or concerns.
Step #3: Prove the true ROI of a great cybersecurity culture
Despite changing attitudes, many company leaders still see cybersecurity protections as an unnecessary drain on budgets, or a blocker to the speed of business. Unfortunately, this is one of the biggest factors holding companies back from building the right cybersecurity culture.
In reality, staying secure against cyber attacks is a profit driver – and it’s up to CISOs and CSOs to prove it. By avoiding the significant negative impacts associated with cyber attacks, including financial loss, reputation damage, and disruptions to services and production, security leaders can demonstrate how committing resources to cybersecurity can ultimately pay dividends.
With these three steps, CISOs and CSOs can champion great cybersecurity leadership – no matter if they have a seat at the C-suite or not.
Demonstrate cybersecurity leadership with awareness training people actually love
Despite executives being more committed to cybersecurity, many CISOs and CSOs still don’t get the recognition they really deserve. By championing a cybersecurity culture, these security leaders can earn trust by keeping their teams safe and showing the real value of cyber safety.
One crucial step in keeping people safe? Investing in a cybersecurity awareness program people actually love. To find out how Riot can deliver unforgettable training on digital footprints, spear phishing, deepfakes and more, get in touch with one of our experts today.