Cybersecurity starts in the C-Suite

Prioritizing security from the C-suite down

A recent survey of 580 IT security professionals at the 2017 Black Hat USA conference found that 67 percent—or about two-thirds—of respondents believe their own organizations would face a major breach in the next year.

This alone isn’t necessarily a shocking statistic. A quick scan of recent headlines provides an abundance of evidence of how sophisticated and widespread today’s cyber attacks have become.

And there’s no sign of attacks slowing down. According to the Identity Theft Resource Center, so far this year there have been over 930 data breaches that have led to more than 19 million records exposed.

It’s more surprising, then, that 69 percent of respondents to the Black Hat survey said they still lack the adequate staff to meet this growing threat. Further, 58 percent said they didn’t have the budget and 67 percent said they did not have the sufficient training.

The security disconnect

Why is this the case? Survey respondents cited as one of their top challenges the perceived disconnect between their organization’s security team and upper management who are making strategic business decisions.

In today’s environment, this disconnect can have serious consequences for organizations large and small because, ultimately, good cybersecurity starts in the C-suite.

Fortunately, many companies are starting to realize this and are hiring experts with both business and security credentials to fill critical roles as CTO, CIO, CISO, and the like. But hiring the right person for the job is just the first step.

But it’s not enough to just share data; executives in the C-suite need guidance on how to translate the quantitative data into tangible and actionable response. Traditionally, IT security professionals relied on the CIO to collaborate the communication, but increasingly security executives are reporting outside of the CIO organization.

The need for action

C-suite executives need to provide security leadership by clearly (1) communicating why managing security risk is key to business success; (2) coordinating and collaborating with security IT professionals on their team on a daily basis to inform decisions; and (3) making sure that everyone has the training and resources, both in terms of workforce and budget, that they need to get the job done.

At CA we are committed to these three principles because we know that, ultimately, our success as a security company depends on it. Building and maintaining trust among our customers and employees is key to all that we do and this includes our own management principles.

If you haven’t thought about how your organization is prioritizing security from the C-suite down, now’s the time.

David Billeter

David Billeter is Chief Information Security Officer at CA Technologies. David has particular expertise in securing complex systems, and proven abilities to interact and win “buy-in” from executives, technologists and varied interest groups. See articles >

Related Content


Transparency: A Motivational Tool for Improving Cybersecurity?

For transparency to make a meaningful difference in cybersecurity, companies…

cloud security

For Cloud Infrastructure Provider Cyxtera, Security Is a Constant Work in Progress

Moving to a DevOps culture can help to modernize legacy…

Access Management

5 Best Practices for Identity & Access Management Success

In today’s digital business, applications support transactions; and…