CEO and CISO disconnect puts Australian organizations at risk: Unisys survey

Published: Friday, 18 October 2019 08:46

Chief executive officer (CEO) confidence regarding an organization's ability to detect and manage cyber concerns far outstrips that of chief information security officers (CISOs) – a disconnect that puts organizations at risk of cyber attacks, according to research released by Unisys Corporation.

The ‘Cybersecurity Standoff – Australia’ research explores insights from 88 CEOs and 54 CISOs, predominantly from Australia's small-to-medium business (SMB) sector that forms a critical part of physical and digital supply chains. The responses indicate that many Australian CEOs still view cyber security in tactical terms and are failing to incorporate the protection of essential digital assets into strategic planning.

For example, while 69 percent of CISOs believe that cyber security is viewed as part of the organization's business plans and objectives, just 27 percent of CEOs agree with this statement. In addition, a quarter of organizations with a board do not report cyber security on a regular basis, and just 6 percent of all survey respondents see the role of their cyber security frameworks as tools to enable business and support growth.

"Lack of communication is a fundamental cause of this type of disconnect between the CEO and CISO. Not every CEO and CISO know how to, or even like to, talk to each other – they don't share the same language and might define what constitutes a breach very differently. And to some degree there is a fear factor: where some CISOs believe if they disclose every issue they run into, they will lose their jobs. Effective communication and shared definitions are needed to drive a mindset change where security risk management becomes part of the business plan," said Gergana Kiryakova, industry director cyber security for Unisys, Australia and New Zealand.

The research reveals a consistent theme of cyber security over-confidence among CEOs:

"As enterprises digitize core functions the type and volume of data collected, stored and used grows significantly. And the reality is that data breaches are inevitable. Organizations must take a proactive approach to securely manage their data and identify and isolate threats before they impact business continuity, partners, customers or citizens. If business leaders don't incorporate cyber security into their overall risk framework, they can't respond effectively to threats across the supply chain ecosystem, or capitalize on emerging opportunities in the data economy," added Kiryakova.

Unisys recommends a security approach that spans six key pillars to protect critical digital assets and change cyber security culture within the business. They are:

The survey was conducted by Pure Profile during September 2019, surveying 88 CEOs and 54 CISOs from Australia's private and public sectors. Reflecting the Australian business landscape, 90 percent of responses were from organizations with less than 200 employees.