CEO and CISO Disconnect in Cybersecurity Prioritization and Strategy Puts Australian Organizations at Risk - Unisys Survey
CEO overconfidence and CISO lack of voice at the board level impedes proactive and holistic approach to cybersecurity; SMBs weak link in security supply chain
SYDNEY and BLUE BELL, Pa., October 16, 2019 – Chief Executive Officer (CEO) confidence regarding an organization's ability to detect and manage cyber concerns far outstrips that of Chief Information Security Officers (CISOs) – a disconnect that puts organizations at risk of cyberattacks, according to research released today by Unisys Corporation (NYSE: UIS).
The "Cybersecurity Standoff – Australia" research explores insights from 88 CEOs and 54 CISOs, predominantly from Australia's small-to-medium business (SMB) sector that forms a critical part of physical and digital supply chains. The responses indicate that many Australian CEOs still view cybersecurity in tactical terms and are failing to incorporate the protection of essential digital assets into strategic planning.
For example, while 69% of CISOs believe that cybersecurity is viewed as part of the organization's business plans and objectives, just 27% of CEOs agree with this statement. In addition, a quarter of organizations with a board do not report cybersecurity on a regular basis, and just 6% of all survey respondents see the role of their cybersecurity frameworks as tools to enable business and support growth.
"Lack of communication is a fundamental cause of this type of disconnect between the CEO and CISO. Not every CEO and CISO know how to, or even like to, talk to each other – they don't share the same language and might define what constitutes a breach very differently. And to some degree there is a fear factor: where some CISOs believe if they disclose every issue they run into, they will lose their jobs. Effective communication and shared definitions are needed to drive a mindset change where security risk management becomes part of the business plan," said Gergana Kiryakova, industry director cyber security for Unisys, Australia and New Zealand.
The research reveals a consistent theme of cybersecurity over-confidence among CEOs:
- Just 6% of CEOs say their organizations have suffered a data breach in the last 12 months, compared to 63% of CISOs;
- More than four in 10 (44%) CEOs believe their organizations can respond to cyber threats in real time, whereas just 26% of CISOs agree; and
- More than half (51%) of CEOs believe their organizations' data collection policies are clear to consumers or citizens, yet only 26% of CISOs agree.
"As enterprises digitize core functions the type and volume of data collected, stored and used grows significantly. And the reality is that data breaches are inevitable. Organizations must take a proactive approach to securely manage their data and identify and isolate threats before they impact business continuity, partners, customers or citizens. If business leaders don't incorporate cybersecurity into their overall risk framework, they can't respond effectively to threats across the supply chain ecosystem, or capitalize on emerging opportunities in the data economy," added Kiryakova.
Peter Altabef, Chairman and CEO of Unisys, explained the challenge of securing the supply chain in today's hyper-connected world: "No single government entity, company or industry group is individually capable of designing or maintaining an assuredly safe internet environment. The effort must be the result of a coordinated approach where stakeholders have a shared understanding of their respective roles and responsibilities and take actions that promote integration of complementary ecosystem capabilities."
Altabef is co-chair of the U.S. President's National Security Telecommunications Advisory Committee (NSTAC) Cybersecurity Moonshot initiative, which has the goal to make the Internet safe and secure for the delivery of critical services by 2028.
Unisys recommends a security approach that spans six key pillars to protect critical digital assets and change cybersecurity culture within the business. They are:
- Technology – Establish a zero trust environment where the default is always to verify permission, from both within and outside of the IT environment;
- Human behavior – Utilize user and entity behavior analytics to identify risky data practices or activities;
- Education – Introduce a 'whole of organization' approach to cybersecurity education from the top down. Use this as an opportunity to discuss cybersecurity's value to the business;
- Eco-system roles and responsibilities – Create a layered environment where the focus is to predict, protect, detect and respond to potential threats;
- Privacy – Ensure a culture of responsibility where all employees responsible for collecting, or with access to sensitive data (including executive leaders) understand compliance requirements;
- Policy – Clearly define secure data management expectations with all employees, suppliers and partners. Incorporate cybersecurity into the overall business risk framework.
Unisys' Cyber Security Standoff – Australia research sought the insights and opinions of CEOs and CISOs from Australia's private and public sectors to better understand the perceived role and value of cybersecurity at a business level. The online survey was conducted by Pure Profile during September 2019, surveying 88 CEOs and 54 CISOs from Australia's private and public sectors. Reflecting the Australian business landscape, 90% of responses were from SMBs (less than 200 employees).
Unisys is a global information technology company that builds high-performance, security-centric solutions for the most digitally demanding businesses and governments on Earth. Unisys offerings include security software and services; digital transformation and workplace services; industry applications and services; and innovative software operating environments for high-intensity enterprise computing. For more information on how Unisys builds better outcomes securely for its clients across the Government, Financial Services and Commercial markets, visit www.unisys.com.
RELEASE NO.: 1016/9719
Unisys and other Unisys products and services mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. Any other brand or product referenced herein is acknowledged to be a trademark or registered trademark of its respective holder.