Whom to involve in cyber risk escalation

Security is a board level issue. While the high media focus on data breaches in recent years has played a role in dragging security up the agenda, there are some far more pragmatic and impactful drivers behind this trend: failing to deal with security in the manner that is appropriate to the enterprise’s operational context and appetite for risk results in the potential to damage brand reputation, customer numbers and the share price.

It is no wonder that security risk management is dealt with at the highest levels. In fact, as shown in a recent survey conducted by IDC, FireEye and DXC Technology featuring 500 senior European IT and security decision-makers, over 80% of respondents involve the CEO as part of the cyber risk escalation framework. But who else does best practice indicate ought to be involved in this process.

IDC’s survey indicates that there are two roles in particular whose involvement have an impact on driving up maturity levels: the COO on one hand, and an executive board member focused on risk/security/compliance on the other. Let’s look at the role of COO in the cyber escalation process first. At the lowest levels of maturity, the majority of respondents (60%) do not involve the COO in this framework. After all, the COO is concerned with the operations of the business lines, not ‘back-office’ activities such as security – right? However, as we move up through the maturity levels a different picture emerges. When we move up to the mid-range maturity categories, two thirds of respondents involve the COO. For the most mature respondents this figure rises to 87%.

So what is the story here? The answer starts to become clear when we consider the responses to another of the questions contained within our survey. Specifically, our study shows that the more mature an organization is, the earlier security will be involved in any new business initiative. In fact, IDC would suggest that best practice is to involve security right from the very beginning. By extension, this makes the COO within a ‘cyber-mature’ enterprise a key stakeholder in the handling of security. This provides support when launching and handling new projects within the lines of business, in a fashion that reduces exposure to risk. It also allows them the flexibility to react if and when a breach occurs. Importantly, COOs ask different questions. They can embed security – or at least secure thinking – in the day-to-day business operations, thus significantly improving overall exposure to threats.

The second key role to highlight here is the non-executive board member that is focused on risk/security/compliance. For the sake of brevity, let’s refer to them as the executive subject matter expert (or exec SME). As with the COO, there is a marked increase in the involvement of such a role as we move up the maturity chain. In this case, it is an even starker contrast: where 29% of respondents at the lowest level of maturity involve such a role in the cyber risk escalation framework, this rises to 91% at the highest level.

The reason for this distinction is perhaps less clear than for the COO; however there does appear to be one key explanation. This time, it is a question of communication and prioritization within the escalation framework. Specifically, there remains a risk of a disconnect between the technically-minded security specialists and the more business-oriented people who populate the rest of the escalation framework. This is particularly evident at the board level, which as we’ve seen tends to sit at the top of this process.

An enduring challenge for security professionals is the ability to ‘speak business’, of being able to express the nature and severity of a cyber threat to those without a technical background. Where the exec SME comes into the picture is the ability to act as a bridge between the board and the security team. Individuals possessing these skills of leadership and communication that able to span the gap between the technical experts and the lines of business are rare. Consequently, they play a key role for respondents at the upper end of the cyber maturity spectrum.

To conclude, the CEO, COO and exec SME are by no means the only roles to sit within a cyber escalation framework. In fact, our survey would indicate that the more mature an enterprise is in its approach to security, the more key stakeholders they are likely to involve in this process. However, that is not to say that senior executives ought to be thrown at the framework willy-nilly, which runs the risk of making the escalation process too complex. Ultimately, the burden of responsibility must fall on the CEO. However, consideration must be given to how this escalation framework ought to be shaped so that the CEO is presented with the right information with which to make a decision, in a format which is interpretable, and can then be disseminated across the business in a consistent fashion.