C-Suite Anxiety: What Strategies Can Alleviate Executive Concerns Over Data Breaches?

It’s not a surprise that data breaches are a nightmare for any team—especially information security. And the staggering costs of a data breach just add to the horror. According to a study from IBM and the Ponemon Institute an average data breach can cost a company millions of dollars. Further, the odds that a company will experience a data breach rose 2% last year, to 29.6%.

It follows then that C-level leaders worry about how to identify and communicate risk across different departments in order to prevent breaches and other cyberthreats. This, and other feedback from the C-suite, was illuminated in our ERM report, Enterprise Risk and the Modern Organization: A View from the Top. In this report, we used an online survey to obtain quantitative and qualitative responses from 100 CEOs representing a variety of sizes and industries. 

Let’s face it CEOs have an important and mounting challenge in communicating risk and the increasing importance of implementing ERM to identify and manage that risk to their boards and teams. Although the complexity of risk across different departments and projects makes a common decision-making rubric difficult to create, we learned that identifying data-breach risk presents a definite problem. Three in 4 CEOs rate their company’s overall Risk Identification favorably, but they are concerned with risks in three categories: strategic, operational, and macroeconomic risk.

• Strategic Risk: Ranked a top concern by 33% of CEOs and the second highest concern for another 38%, many worry about risk arising from third-party business partners as well as evolving customer demographics.

 

• Operational Risk: Ranked a top concern by 33% of CEOs and second by another 26%, these CEOs cite cybersecurity insurance costs, and employee misconduct as major threats.

 

• Macroeconomic Risk: 1 in 4 CEOs worry about the threat of a recession, followed by global political instability. NOTE: This survey was completed prior to COVID-19.

Challenges Created by Ongoing Risk Monitoring

CEOs recognize that although annual, quarterly, or weekly risk reviews are better than no risk management at all, those assessments can’t effectively protect their organizations from known and unknown risks. They voiced a need for constant, ongoing readiness to quickly respond to risks as they emerge. For many, this presents a challenge. 

Other challenges include:

• Siloed departments common in core industries like financial services, healthcare, technology, media, and telecom, which make it difficult to attain cross-functional team involvement
• An inability to define and communicate risk appetite organization-wide
• A lack of scoring standards that impede the successful implementation of a risk scoring system or development of methodology that ensures the calculation of all scores according to that common standard
• Limited buy-in or ownership from mid-level management and other employees outside the leadership ranks
• Insubstantial or ineffective communication about risk posture companywide—from the bottom rungs of the org chart all the way to the board

The Future of Enterprise Risk Management

Knowing that managing enterprise risks is a critical need for their companies, CEOs are seeking simple, streamlined processes that accurately yield information about future risks and quantify known risks. 

The most effective ERMs address weaknesses of tracking/ risk scoring systems and key risk indicator (KRI) development. In their ongoing battle to manage risk, most CEOs share ERM information with their Boards, and many with their managers, too. 

To check out the full report: Download Enterprise Risk and the Modern Organization: A View from the Top.