A pre-COVID-19 global survey of CEOs and CISOs conducted by WSJ Intelligence found large differences in focus, strategy and planning between more cybersecurity focused executives—labeled ‘Leaders’—and those less focused on cyber. ‘Leaders’ are much more likely to report (88%) that cybersecurity is the top priority risk factor facing the organization. 76% of the ‘Leaders’ review and update their cybersecurity strategy on an ongoing basis, compared with only 46% of other executives. Unsurprisingly, 82% of these ‘Leaders’ report that their BoD’s recognize that ‘Cybersecurity is critical and are fully engaged with it as part of a key business strategy’. This is compared to only 39% of the ‘non-Leaders’ who say the same about their BoD. And 88% of ‘Leaders’ report deriving excellent value from cybersecurity spending.
Another critical difference is that ‘non-Leader’ CEOs and CISOs highest concern over the next 3-5 years is identity theft, while ‘Leaders’ are far more concerned with malware-type breaches like ransomware.
The ‘Leaders’ identified by WSJ Intelligence comprised 33% of the survey participants and share very similar cybersecurity outlook and areas of focus that differs markedly from the focus and outlook of the ‘non-Leaders’. By very high margins, the ‘Leaders’ view cybersecurity as their top priority and are backed up by their Boards in this outlook; they review and update their cybersecurity strategy on a constant ongoing basis; and are (correctly) far more concerned about the potential impact of malware/ransomware attacks than data breaches on their organizations. This is consistent with our extensive analysis, most recently here, demonstrating the greater financial and operational damage threat posed by ransomware compared to data breaches.
But it is not enough to simply review and update a cybersecurity strategy on an ongoing basis. Boards and C-suites should have transparent financial metrics for assessing cyber performance like they do for every other major business risk.
One notable finding: respondents average more than 50 vendors in their cybersecurity stack, and a majority of every category — CEOs, CISOs, Leaders and non-Leaders—would like to work with more vendors than they currently do. This is problematic, as organizations often do a very poor job of utilizing the full capabilities of the IT resources they already possess. This creates high levels of redundancies between tools and budgetary waste. A higher number of IT cybersecurity vendors and tools can increase the probability of gaps between the varied systems that are exploited by hackers.
Leaders and non-leaders should both know that less corporate network complexity and a better managed security stack are key factors in better cyber performance.