A recent report published by global consulting giant Unisys highlighted a major disconnect between CEO and CISO views on cyber resilience. The study, which polled the perspectives of 88 CEOs and 54 CISOs, predominantly from Australia's small-to-medium business, revealed that while 69% of CISOs believe that cybersecurity is viewed as part of the organization's business plans and objectives, just 27% of CEOs agree with this statement. These revelations are disappointing, but not surprising. The Cyber Leadership Institute has long advocated for increased focus on board and executive engagement in Cyber Resilience programs.
To address this common disconnect, we recommend three practical steps:
- The board and senior leadership team should formulate a cyber risk governance committee comprised of senior IT and business stakeholders. The mandate of this committee is to rigorously challenge the cyber resilience strategy, ensuring key risks and compliance obligations are considered and sufficient resources are provided to achieve stated goals.
- The CISO should present cyber risk profile and mitigation strategies to the executive committee at least monthly, aligning business and technology perspectives on cyber risk.
- At least once every six months, the CISO must coordinate tabletop exercise to simulate the recovery of essential business functions in the event of plausible cyber risk scenarios. These should be attended by senior IT, business and risk executives. This fosters deeper business – IT collaboration.