Many of Australia’s chief executive officers are in denial about or simply unaware of cyber security threats to their organisations, according to a new report.
Unisys spoke to 88 CEOs and 54 chief information security officers (CISO) across the private and public sector, predominantly from the SME sector (less than 200 staff) and found that only 6 percent of CEOs say their organisations had suffered a data breach in the last 12 months. This compares to 63 per cent of CISOs who reported breaches in their organisations.
Almost half (44 per cent) of CEOs felt that their organisations can respond to respond to cyber threats in real time. Unfortunately, their CISOs don’t feel the same way with only 26 per cent indicating that this is the case.
Meanwhile, just over one half (51 per cent) of CEOs feel that their data collection policies are clear to consumers or citizens compared to 26 per cent of CISOs. Further, CEOs (14 per cent) are also more likely to believe that their organisation adheres to the Australian Privacy Principles for data collection than CISOs (7 per cent).
What the study found is pretty much a disconnect and lack of communication between the two very important roles of CEO and CISO, Gergana Kiryakova, industry director, cyber security for Unisys Australia and New Zealand.
“As we know, the CISOs report into the CIO, CRO (chief revenue officer) or CFO. And the CEO is the one who gets the information from the other stakeholders. In this survey, we were expecting a disconnect but not such a big one,” Kiryakova said.
There’s also a massive disconnect when it comes to business planning with only 27 percent of CEOs indicating that cyber security was part of their plans compared to 69 per cent of CISOs.
“How is it that they don’t actually speak with each other? There’s definitely a lack of communication between the two. One-third [of CEOs] believe cyber security is an IT or operations issue. So they do not see it as a business priority and as a consequence, they don't [include] it as part of their business planning," she said.
CEOs and CISOs have different definitions of what constitutes a cyber breach, she adds.
"For a CISO, [theft of] metadata might represent a data breach whereas for a CEO, the metadata might not. So effective communication and shared definitions [of what constitutes a breach] are something to strive for and can be achieved with correct communication."
So what needs to happen for CEOs to get with the cyber security program? Kiryakova is adamant that in the next 10 years, more and more CEOs will technology backgrounds will lead organisations across the board.
She told CIO Australia that the Australian Institute of Company Directors, and Unisys, are educating boards on cyber security by running workshops.
"It's a question of process, it's a journey that is going to happen over time. They can definitely make a decision to move the priority up in their agenda."
But as it stands at the moment, 25 per cent of the organisations surveyed that have boards do not report on cyber security to their board members on a regular basis.
Follow Byron Connolly on Twitter: @ByronConnolly
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.