As organizations focus more on managing and mitigating cyber risk, a new question likely will become standard in assessment of innovations and technologies, features or functions: What is the potential cyber risk associated with this?
Not only will they ask about potential liabilities to the company but also to consumers, clients and associated third parties, says Emily Mossburg, principal and advisory and implementation services leader for Deloitte Cyber. “We aren’t there yet, but we’re starting to see it happen,” she notes.
Creating visibility about cyber risk is one of the issues facing today’s organizations. To learn about how they are dealing with it, Deloitte queried 500 C-suite executives responsible for cybersecurity for its 2019 Future of Cyber survey. Questions centered around their challenges to improve cybersecurity awareness across the organization, as well as the role cyber plays in digital transformation, talent management and reporting structure.
In the past, the cybersecurity function was “tucked away in IT,” Mossburg says. “We’re in the midst of a shift to where the space is becoming a broader chief operating officer (COO)-type of function,” she says. “The stakeholders aren’t just the IT stakeholders anymore. They are now broadly spread across the business — and beyond the leaders of a business function. It’s really starting to get into those driving product development, management and innovation for organizations. (Cybersecurity is becoming) something talked about during the developmental stage of ideation and new innovation.”
Where cybersecurity falls within an organization also is changing. According to the report, 43 percent of chief information security officers (CISOs) who were surveyed say they report directly to their CEOs. When considering all survey respondents, 32 percent say the CISO role reports to the CEO. Only 19 percent indicated CISOs reported to the chief information officer (CIO).
That differs from previous Deloitte findings, Mossburg says, and could signal a positive change in reporting structure. “We do a number of labs with CISOs and CIOs focusing on transformation and next generation of cyber programs,” she says. “In those instances, nearly 80 percent of the CISOs are reporting to the CIOs. There’s a bit of a disconnect here.” But a change in reporting structure along with interaction with a broader set of stakeholders helps drive the adoption, broadening and awareness of cyber in the marketplace, she says.
Getting executive support can aid in awareness, Mossburg notes: “That brings not only visibility, but a different line of questioning.” An executive view of downstream impacts is broader compared to a more siloed view, where the concern tends to be on whether all the boxes are checked and if the company is compliant, she says.
While support from leadership is necessary, so is bottoms-up support, due to the detailed nature of cyber and data related to it, she says: “There are pressures on both sides to make this work, and for organizations to be able to tackle their cyber risk and have a program, processes, solutions and an organizational structure in place to enable protecting their systems and technology.”
Cybersecurity programs can differ from organization to organization, with some basic and others more evolved. It’s a “different risk appetite,” Mossburg says. “There are a whole host of questions organizations ask themselves to determine how at risk they are,” she adds. “For sure, everyone isn’t at the same level of risk — and therefore, doesn’t have the same level of spend, energy, size and scale of program. But you’d be hard-pressed to find an organization not doing something.”