Clarity Up Front
- ‘Convergence’ between corporate and cyber security has been a hot topic of discussion for well over a decade, but debates have tended to be binary: converge or not?
- 92% of C-Suite executives said they felt that corporate security should be accountable or responsible for cyber security, but only 15% of CSOs surveyed by The Clarity Factory are operating within a converged model.
- Cyber security has become a top-three board-level priority, as companies have become tech-dependent and cyber risks have increased.
- Cyber security functions have grown significantly, but have been impacted by high turnover, spiralling salaries, and talent shortages.
- Boards and executive committees are asking all risk-related functions to collaborate and offer a unified view of risk, and the interface between corporate and cyber security is critical.
- There is no agreed vision for convergence, and the term itself has become divisive within the industry.
- Corporate security functions should instead seek ways to align with cyber security at the levels of governance, strategy, operations, and intelligence, in order to provide a holistic security stance for their companies.
- The Clarity Factory has launched a major industry-wide study that will result in a clear articulation of the business value of holistic security, different models for achieving it, guidance on how to choose the right model for your company, and a step-by-step guide to delivering holistic security in practice.
Information about The Clarity Factory’s work on Holistic Security, supported by companies, including, Barclays, BP, Johnson Matthey, and Scentre Group, can be found here. To get involved, contact Rachel Briggs
Converge or not? Beyond binary discussions about corporate and cyber security
‘Convergence’ between corporate and cyber security has been a hot topic of discussion for well over a decade, but debates have tended to be binary: converge or not? They have often assumed that convergence can only be achieved by corporate security and cyber security coming together into a single function under the leadership of one person, with pooled talent, technology, information, and budget. This all-or-nothing view of convergence offers no accommodation for variations between companies, in terms of risk profile, relative importance of digital versus physical security, company governance and ownership structure, or geographic footprint.
Convergence levels are low
It is perhaps not surprising that very few companies have converged; only 15% of CSOs surveyed by The Clarity Factory are operating within a converged model. CSOs tell us that complexity, cost, and lack of knowledge hold them back from convergence, or even fostering a closer relationship with cyber colleagues. It is notable that two-thirds of corporate security functions lack technology skills, and less than one-quarter have an innovation budget.
Support for alignment between corporate and cyber security is high
There is an appetite among CSOs for closer alignment between corporate and cyber security; more than one-quarter share certain responsibilities with their cyber counterparts, and over half say their function is in some way ‘involved’ with cyber security. A slim majority (58%) of CSOs agree that effective security risk management relies on corporate/physical security and cyber security coming together into a single function, and 92% of C-Suite members said they felt that corporate security should be accountable or responsible for cyber security.
Cyber security is a leading risk for global companies
Cyber security has become one of the most important risks for multinational corporations; almost two-thirds (61%) of enterprise firms were targeted in 2021, up from 51% in 2020. The impact of cyber events extends well beyond ransom payments, and includes remediation efforts, higher insurance premiums, business disruption, lower production, delays, reputational damage, intellectual property theft, litigation, and regulatory breaches. Effective cyber security is essential to operational resilience.
It is therefore not surprising that cyber security has become a top priority for a majority of board directors. As a leading recruiter for non-executive board directors told Savanti, “When you think about the things that keep them up at night, it’s cyber, because the impact can be unquantifiable. When it comes to data breaches, cyber hacks, the impact on your business can be exponential and potentially existential.” Increased board prioritisation of cyber security is not just due to the increased frequency of attacks, but also their growing media reporting, a heightened focus on operational resilience, investor pressure, and cyber regulation.
Cyber security functions have matured, but struggle as a result of turnover and talent gaps
In recent years, cyber security functions have rapidly matured, broadened and deepened their capabilities, and they now regularly contribute at both Executive and Board levels to meet demand for improved visibility of cyber risk. Four cyber labour market factors result in instability within many cyber functions, which impacts cyber preparedness.
- There is a dearth of high-end CISOs; Russell Reynolds Associates estimates that 60% operate at a junior level.
- There is exceptionally high turnover among CISOs; their average tenure is 2.3 years, compared to 6.9 years for a CEO and 4.6 years for a CIO.
- Low supply and high demand has seen CISO salaries spiral; median packages for CISOs in the US rose from $784,000 in 2020 to $936,000 in 2021.
- There are thousands of unfilled cyber roles and not enough qualified candidates entering the workforce. These factors
Boards and executive committees are asking all risk-related functions to collaborate to produce a unified view of risk
Multinational corporations increasingly manage risks that span functions, fall outside the remit of any individual function, and are dealing with multiple risks concurrently. Silos cause missed opportunities, obscure risks, and create blind spots. As a result, business leaders are demanding a more unified, functionally agnostic view of risk, placing a premium on functions that can collaborate and integrate to strengthen their company’s operational resilience. Closing the gaps between corporate and cyber security is critical.
Towards a holistic approach to corporate and cyber security
There is no agreed vision for ‘convergence’, and the term itself has become divisive within the industry. In recent discussions with CSOs, many stressed their reluctance to use the term at all, because it has become associated with a presumed end state for the relationship between corporate and cyber security. What’s needed instead is a more nuanced approach, one that recognises variations in risk, organisational structures, and cultural norms, and defines the characteristics present in organisations where the partnership creates the most value for the company.
While holistic security must be rooted in organisation realities, companies do need guardrails to anchor their approaches; ‘no-size-fits-none’ is just as limited as ‘one-size-fits-all’. CSOs, CISOs, and C-Suite are looking for a clearly articulated vision and roadmap, without which paralysis will continue. That’s why The Clarity Factory study will result in a series of holistic security models, and guidelines to help companies choose which approach is right for them. The models will operate at the levels of governance, strategy, operations, and intelligence, and will take into account other risk-adjacent functions, as well as corporate and cyber security.
Debates about the relationship between corporate and cyber security are not new, but we have reached an inflection point for both functions. Boards and executives are looking for risk leaders to collaborate for the collective good, but they and their security leaders struggle to articulate what that means for the relationship between corporate and cyber security.
It’s time for corporate security leaders to make the business case for holistic security, present a clear vision for their company, and be ready to lead together with their cyber peers to deliver operational resilience in the face of today’s volatile global business environment.
Holistic Security: How to right-size the relationship between corporate and cyber security launched in April 2024, will involve surveys and interviews with CSOs, CISOs, and C-Suite members, and will result in a blueprint due for publication in Spring 2025.
For more information about The Clarity Factory’s work on Holistic Security, and to get involved, contact Rachel Briggs.
Photo by Laura Meinhardt