C-suite executives - the senior managers with "chief" in their job title - have many worries but it seems there is no single worry for all C-suite executives, just a different, pressing one for each.
IBM Chief Information Security Office (CISO) report found that while CISOs believe that all their peers in the C-suite worry about security, they worry about it to different degrees.
CISOs think that 41 percent of CEOs worry about the loss of brand reputation and trust that comes with security breaches. CISOs believe that their CFOs will most worry about the financial loss the company may incur (47 percent), while again unsurprising, the largest number of COOs will worry about downtime, 42 percent.
But how about CIOs? Well none of them (according to the research) feel financial loss is of any concern to them. In terms of other concerns, they are more or less evenly split with 26 percent worried about loss of brand reputation, 24 percent operation down time and a lowly 18 percent worried about compliance violation. But most CIOs (32 percent) ticked the box marked 'Other': so CIOs worry about everything or nothing in particular, depending on which way you look at it.
As IBM points out, this broad spectrum of worries poses a difficult challenge. To help allay these various concerns, the security leaders IBM interviewed say they meet regularly with their boards and C-suite executives with the most popular frequency being once per quarter. When they meet, the top topics that they discuss include identifying and assessing risks (59 percent), resolving budget issues and requests (49 percent) and new technology deployments (44 percent).
The report notes that security chiefs think loss of brand reputation or customer trust is the most important business concern across their organisations, although IBM notes it's hard to track the impact of security breaches and other incidents to brand reputation — "even though there can be an impact to stock price or public perception", the report says.
The increasing mobility within organisations and the proliferation of intelligent devices raised real issues, according to the survey with less than 40 percent of organisations having deployed specific response policies for personally owned devices or an enterprise strategy for bring-your-own-device (BYOD).
The good news is that the gap is being recognised with 39 percent of CISOs planning to establish an enterprise strategy for BYOD within the next 12 months, and 27 percent doing likewise with an incident response policy.
However, IBM warned that technical and business metrics are still focused on operational issues. While 90 percent of interviewees said they track security incidents, lost or stolen records, data or devices, and audit and compliance status, fewer respondents (12 percent) are feeding business and security measures into their enterprise risk process, even though security leaders say the impact of security on overall enterprise risk is their most important success factor.