CEOs are taking more responsibility for cybersecurity protection

CEOs are giving cybersecurity more attention. (AT&T)

CEOs and boards are stepping up to take more control of protecting their companies from cyberthreats and attacks, a study shows.

Two-thirds of CEOs and boards now have direct oversight of cybersecurity, up from 2017, the study by Accenture says.

Budget authorization is also elevated, with CEOs and boards now approving 59% compared with only 33% last year.

By contrast, the CIO has less control over funding, with a drop in budget authorization to 29% this year versus 35% in 2017.

Seeing heavier involvement from the top is encouraging, given how pervasive cybersecurity threats are, Kelly Bissell, managing director of Accenture Security, told FierceCEO. “We’re seeing CEOs taking this seriously. They have become aware they must focus on this.”

In fact, “This is the first time I’ve seen a positive report in that CEOs are getting more involved,” Bissell said. “They shouldn’t rest, but they are making headway.”

Greater involvement may be working. The average number of cyberattacks per company has more than doubled from a year ago, but organizations are demonstrating far more success in detecting and blocking them, the Accenture survey found.

It’s also taking less time to detect a security breach: from months and years to now days and weeks. On average, 89% of respondents said their internal security teams detected breaches within one month compared to only 32% of teams last year. This year, 55% of organizations took one week or less to detect a breach compared to 10% last year.

On average, respondents said only two-thirds of their organization is actively protected by their cybersecurity program. And, while external incidents continue to pose a serious threat, the survey reveals that organizations should not forget about “the enemy from within.” Two of the top three cyberattacks with the highest frequency and greatest impact are internal attacks and accidentally published information.

The Accenture findings show promise compared with a recent survey by CyberArk, which found CEOs had a lot to do to shore up their cybersecurity practices.

“There is work to be done to show a recognition that challenges remain and need to be addressed,” Adam Bosnian, executive vice president of global business development at CyberArk, told FierceCEO.

Another recent survey, by Clutch, found that companies are surrounded by cybersecurity threats, but many are not making it a priority to educate employees about them. The survey demonstrated a lack of awareness that can put companies at risk for IT security breaches and found that employees are less likely to recognize IT services as the primary area of security vulnerability at their company.

What has grown is a cottage industry of cybersecurity firms, specializing in everything from protecting financial service companies to providing insurance against attacks.

Sean Feeney, CEO of DefenseStorm, handles the cybersecurity needs of small banks and credit unions.

And Rotem Iram, CEO of At-Bay, offers policies that cover any financial damages that result from the malfunction of a computer system due to a cyberattack.

Just where do these attacks come from? Mostly inside, according to a PwC survey.

Incidents attributed to hackers, competitors and other outsiders have declined, the research said. However, those attributed to insiders, such as third parties—including suppliers, consultants and contractors—and employees have stayed about the same or increased.

And as robotics are becoming more prevalent, CEOs see new risks tied to these emerging technologies.

“A successful cyberattack on automated or robotic systems could have major consequences, including the disruption of operations, the compromise of sensitive data and damage to product quality,” the PwC survey said.