The C-suite gap that’s putting your company at risk

New research from EY US shows that cyber attacks are creating serious financial risks. C-suite leaders don’t always agree on how exposed their companies are or where the biggest threats come from.

CISOs more concerned about cybersecurity (Source: EY US)

Cybersecurity as a strategic investment

In EY US’s latest C-suite cybersecurity study, 84% of executives said their company had faced a cyber incident in the past three years. Another EY US review of Russell 3000 companies found that after a cyber attack, a company’s stock price drops by an average of 1.5% over the next 90 days. This shows how much these attacks can hurt a company’s value.

EY asked 800 U.S. executives about cybersecurity. That included 300 CISOs and 500 other C-suite leaders. The survey looked at how much companies are spending, what new threats they see, and how prepared they feel. It found that CISOs are more concerned than other execs. 66% of CISOs said the threats they face are more advanced than their defenses. Only 56% of other C-suite leaders felt the same.

“Companies need to move beyond a ‘check the box’ mentality and recognize cybersecurity as a strategic investment, not simply a cost center,” said Jim Guinn, II, EY Americas Cybersecurity Leader. “It’s time to take the bull by the horns and push for not just the resources but the authority for cyber leaders to build truly resilient organizations. The cost of inaction is simply too high.”

Gaps between CISOs and other C-suite leaders could be putting companies at risk

CISOs are more likely to think senior leaders don’t fully understand how serious cyber threats are. About 68% of CISOs said top executives underestimate the danger. Only 57% of other C-suite leaders agreed.

The two groups also disagree on who’s behind past cyber incidents. More CISOs (57%) said cybercriminals were responsible, compared to 47% of other executives. CISOs were also more likely to point to insider threats—47% said they’d had an incident caused by an employee, while only 31% of the rest of the C-suite said the same. These differences could make it harder to prepare for future attacks.

CISOs and other execs also see the impact of investments differently. Three out of four CISOs said AI helped reduce cyber incidents. Fewer non-security executives said the same. Meanwhile, 77% of non-security execs credited training employees for the drop in incidents, compared to 69% of CISOs.

A call to action

“CISOs see escalating threats and vulnerabilities, while the C-suite appears to often believe cybersecurity is handled,” said Guinn. “Cybersecurity incidents carry significant and far-reaching financial repercussions beyond immediate recovery costs. Our research reinforces the urgent need for leaders to come together and develop a comprehensive cybersecurity strategy that addresses the evolving threat landscape and includes clear communication, a shared understanding of the risks and opportunities, and priority areas for investment.”

Despite the risks posed by key disconnects, there is a silver lining as investments are on the rise. While 21% of C-suite leaders say their organization currently invests more than 10% of their IT budget (which cybersecurity falls under) in cybersecurity, this number is expected to roughly double to 38% next year.

To better maximize this additional capital amid heightened cyber risks and turbulent economic conditions, Guinn and the EY US Cybersecurity team recommend the following:

• Elevate the CISO role: Establish the CISO as a position of ownership over the organization’s security posture, with the mandate to drive strategic security initiatives and influence critical business decisions.
• Invest strategically: Align cybersecurity investments with the organization’s overall business objectives and risk tolerance, ensuring that resources are allocated effectively to address the most critical threats.
• Embrace innovation: Continue reviewing and adopting new technologies and approaches to cybersecurity, including AI and machine learning, to enhance threat detection and response capabilities.
• Develop a culture of cyber confidence: Promote a culture of cybersecurity awareness and responsibility at every level across the entire organization, empowering employees to identify and report potential threats.