topic Re: Are C-suite Executives our greatest risk? in Governance, Risk, Compliance

Are C-suite Executives our greatest risk?

Caute_cautim — Mon, 09 Oct 2023 10:18:05 GMT

Hi All

According to a PWC report, the C-Suite Executives are the greatest risk? What do you think?

Do you concur or do you have another perspective?

https://securityboulevard.com/2022/08/pwc-survey-finds-c-level-execs-view-cybersecurity-as-biggest-risk/

Regards

Caute_Cautim

Re: Are C-suite Executives our greatest risk?

AppDefects — Tue, 06 Sep 2022 01:41:48 GMT

This quote from the article says it all:

"The cybersecurity team also often takes the blame for a breach when in fact the root cause is usually traced back to a user that disregarded one cybersecurity policy or another. Sadly, that end user often turns out to be a C-level executive that should have known better."

In reality, C-level executives may not always know better. It is often the layer of management below them that is not fully comprehending the gravity of allowing vulnerabilities in production systems and allowing exceptions to policies. And it gets worst, hackers know the odds are that a new release has an approval to go live with vulnerabilities, yes people that happens. There is a lot of application technical debt out there just waiting to be discovered.

Re: Are C-suite Executives our greatest risk?

dcontesti — Tue, 06 Sep 2022 02:10:12 GMT

I once had a Sr. VP click on the attachment in an email entitled "ILOVEYOU". When asked if they knew the sender, the reply was "NO, I was just curious:"

Totally agree that middle management are sometimes put corporations at risk more than the C-Suite. C-Suite become involved after a breach and typically open the wallet for security spending.

Re: Are C-suite Executives our greatest risk?

JoePete — Tue, 06 Sep 2022 03:54:26 GMT

It seems much of the article is trying to say the C-suite is now taking security seriously. But I think the larger point is still being missed. Security is a cultural thing, and it can take years to change corporate culture. But if the problem is the C-suite hasn't prioritized security, the other half of the equation is the security folks haven't done a good job either getting that message across or moving into senior management roles.

That said, I think senior management generally is getting the idea or willing to listen now. There's still work to do, but where I see the biggest risk or gap is with young employees. They come into the workplace with certain bad habits and expectations. Maybe 10 or 20 years ago, there was a need to integrate information security into business school. Today, it has to be done at the elementary schools.

Re: Are C-suite Executives our greatest risk?

Caute_cautim — Tue, 06 Sep 2022 04:31:29 GMT

Hi All

Perhaps, this is where AI fits in, indicating to a C-Suite member, that potentially if you chose this decision, it will have the following consequences or did you know, if you take this particular route, you open up a whole heap of pain for yourself, the organisation and potentially a technical debt, which will keep you spending X number of dollars for the x number of years etc.

They need to understand the consequences of their decisions, hindsight is not good enough these days, we need to predict the actual reality from the existing lessons learnt everyday by a lot of organisations and practitioners. We need to commence gathering this data, and using to protect and educate our C-Suite to understand risks associated with their decisions, before they are allowed to throw the big switch to actually make it happen. Scenario based cybersecurity played out, before they are allowed to make that decision.

Rather like Tanker captains put in a miniature ship, within a canal, and taught real live scenarios and to learn the consequences of running aground for instance - I know it does not quite match, but you get my drift.

Regards

Caute_Cautim

Re: Are C-suite Executives our greatest risk?

JoePete — Tue, 06 Sep 2022 12:51:33 GMT

@Caute_cautim wrote:
Perhaps, this is where AI fits in, indicating to a C-Suite member, that potentially if you chose this decision, it will have the following consequences or did you know, if you take this particular route, you open up a whole heap of pain for yourself, the organisation and potentially a technical debt, which will keep you spending X number of dollars for the x number of years etc.

But isn't this the dilemma/challenge? People want an app to think for them. We live in an age of TL;DR - "It's your fault that I am too lazy to read." It's this sense of intellectual entitlement that has led to a willing suspension of common sense. We have conditioned people to follow the crowd or download the app rather than to think. It's not that people are incapable of understanding risk. They just choose not to, and I see that problem prevalent throughout the workforce, not just at the c-suite level.

Re: Are C-suite Executives our greatest risk?

CISOScott — Fri, 28 Oct 2022 15:14:48 GMT

And think about how attackers shift their attacks to avoid the latest security thing.

If I am a burglar I try to break into your house. The battle usually goes like this:

Bad guy (BG): Try the door handle. Finds it unlocked, goes in and steals something.

Home Owner (HO). Installs locking door handles.

BG: Tries handle and finds it is locked. Breaks Window, goes in and steals something.

HO: Repairs glass. Installs surveillance system with glass detection sensors.

BG: Gets a ladder and breaks in through second story window.

HO: Puts sensors on all windows and doors. Gets a dog.

BG. Stakes out your house and learns the security code. Brings a pack of meat. Goes in and steals something.

HO: Puts up a sign that their neighbors house doesn't have locks.

If we shift the responsibility to an Artificial Intelligence (AI) method, a motivated attacker will just change their methodology and attack the new thing.

I am attacking the psychology behind the attacks. In our latest phishing test I asked all of the clickers to respond to me on "why" they clicked and it breaks down into roughly 5 psychological areas of attack:

1) Trust - Fooled by a logo or something else they have been taught to trust.

2) Inattentive - Just weren't paying attention

3) Panic - Account lock out, fake charges to their account, a login from Russia, etc.

4) Irresponsible - Mixed personal use with business use

5) Wall of shame - Lying - They lied to me about the reason they clicked. i.e. The dog jumped on my arm while I was just about to delete it. I was about to delete it and I sneezed, etc. They hide behind the "wall of shame" because they don't want to admit that they were fooled.

I can create awareness campaigns around those to reduce our click rate.

I think the C-Suite needs to understand the psychology of the attackers and how they prey on our user's psychological weaknesses and allow us CISO's and Information Security folks to use that knowledge to help protect our environments.

Re: Are C-suite Executives our greatest risk?

jbuitron — Wed, 14 Jun 2023 01:37:00 GMT

The article is about how C-Suite Executives view cybersecurity as the greatest risk to their organizations. I, for one, am delighted to see that upper management 'gets it.' Information Assurance\cybersecurity used to be 'tacked on' at the end of setting up a company, pasted on instead of baked INTO the company.

I do encourage our colleagues to read the article.

thanks,

Doctor J.

Re: Are C-suite Executives our greatest risk?

Early_Adopter — Mon, 26 Jun 2023 16:30:49 GMT

If we take the context of PWC in Australia - then it seems PWC presented the greatest risk...:)

Why PwC is selling part of its business in Australia for less than $1 (msn.com)

Re: Are C-suite Executives our greatest risk?

vishybear — Thu, 12 Jun 2025 14:40:48 GMT

coming late to this as it's a 2022 topic,

in 2025 there are 2 sets of people I wouldn't give a laptop to until they could prove they can be trusted...C-Suite & Developers.

We're all used to directors leaving laptops on trains with their password on a post it note pasted to it. Usually the day after they've got a replacement one after losing their previous one.

However, these days, DevOps, Developers are multiples more dangerous. They all want admin or similar rights, randomly create accounts or download random libraries from Github or PyPi with no oversight. These days Visual Studio Code plugins are an attack vector. In a previous job, we refused to let ANYONE install these on the VDI the offshore teams were using without justification from their managers. I would extend this to libraries and Github repositories and FOSS.

Chatbots now as well extends this to normal users too. Automated Agents.

Re: Are C-suite Executives our greatest risk?

mrsimon0007 — Sat, 11 Oct 2025 21:46:20 GMT

C-suite executives have wide access to sensitive data, make high-impact decisions, and are frequent targets for phishing or social engineering. That makes them a significant insider risk if they are careless, misinformed, or compromised.

Re: Are C-suite Executives our greatest risk?

vishybear — Sun, 12 Oct 2025 12:26:29 GMT

i remember as a desktop support guy... it was ALWAYS directors who'd leave laptops on the train

Sent from my iPhone

Re: Are C-suite Executives our greatest risk?

denbesten — Mon, 13 Oct 2025 01:39:09 GMT

This is why one implements automated group policy mechanisms to encrypt hard drives, enforce screen locks, use MFA when possible, and to enable remote-wipe-and-report.

Also, buy them an Airtag to keep in their laptop bag. Might cause their phone to beep while there is still time to go back for it.

Re: Are C-suite Executives our greatest risk?

ervinfrenzel — Tue, 14 Oct 2025 00:52:12 GMT

Absolutely, that is combined with our technicians/technology specialists. If I may explain. According to the governing bodies (IEEE/ACM, INCOSE, ISO, etc), cyber is the combination of the people, processes, and technology. Combined this becomes a socio-technical system (or STS). Much of leadership came from a single technology or field - this skews the leader into believing their "flavor" is the single cybersecurity "flavor" - this month it is "AI", it has been "secure software", "IT based security", "IS based security" etc. I have been told multiple times I cannot fill a "C" suite role as I can explain threats so other org leaders can understand what is going on. This terrifies me.

When leadership neither reads nor understands the whole picture, they handicap their own organization (people), their processes, and hinder their technology. Worse their actions can impose the actions onto business affiliates tied to them (think third party risk) their actions not only expose themselves and their organizations, but anyone doing business with them.

Currently, I am working on job crafting research, oddly multiple vendors (two of the big ones) are still saying Cyber is a sub component of Information Technology, Computer Science, Computer Engineering, Software Engineering, Data Science, or even Information Systems. Information Systems is probably the closest to being correct (as it should have an integrated STS). If your certification body is antiquated and out of touch with reality, how can you be anything but?

I realize this isn't just about cybersecurity but all "C" suite folks, if their decision making processes are antiquated because those teaching them are antiquated (think tenure faculty who have not updated their "general knowledge" but only conducted specialized "research" they want to deal with). This is job crafting, it is how we broke up our departments to begin with - do what you are good at, let others deal with what you are not good at. Those who are good at our weaknesses, often hate what we are good at.

As a side note, several certification bodies went on to say they are only responsible for "digital"components, not responsible for end-users, end-user actions, or the processes of the organization. Essentially, when we look at breaches, we recognize breaches occur in the people, processes, or technology - essentially finding the weakest of the STS countermeasure components. Certifying bodies who deny the people or processes are saying it is someone else's job - but definitely not theirs. I cannot respect any cybersecurity certifying body that says "it's someone else's problem".

We as professionals are responsible for our working organizations, we can vote our profession (by membership), by researching, and by refusing to be part of organizations that refuse to update their philosophies or be responsible for their professionals.

Re: Are C-suite Executives our greatest risk?

vishybear — Tue, 14 Oct 2025 12:46:29 GMT

There is a MASSIVE issue in the tech industry across the whole board that refuse to acknowledge that humans exist.

Everyone has processes, ‘good practices’, standards, etc etc yet are STLL surprised when a user will do something because it makes their job easier to do. Or Directors that insist on letting their kids use Minecraft on their work laptops. I’ve even worked in a place where we provided IT support to a directors wife and kids.

Every department in organisations is understaffed now, outsourcing, offshoring make things even harder. Yet for some reason, saying to the Directors or the C-Suite..”YOU decided to stick this Helpdesk offshore and YOU decided to make our IT support work out of the same office builds and sound identical to the scammers that call our users everyday. How come it’s suddenly OUR problem” is seen as something that isn’t done. (Unless it’s me)

I think training needs to be directed toward the technical resource on how to understand humans as much as it’s needed for staff to understand how to recognise a phishing email.

There’s been too much STEM STEM STEM recently and not enough concentration on looking at the soft skills, psychology, basic human nature and how to talk to people.

Re: Are C-suite Executives our greatest risk?

nkeaton — Tue, 14 Oct 2025 13:25:04 GMT

@vishybear We have been emphasizing STEAM for years because of that soft skills component. You are correct that they need those very human interaction skills.

Re: Are C-suite Executives our greatest risk?

jbuitron — Fri, 17 Oct 2025 00:35:00 GMT

It grates on my nerves, like fingernails on a chalkboard . . every time I see the phrase "IT Security." The 'information technololgy' portion of 'security' is only a percentage of the entirety.

And, you mentioned how cyber professionals like CISOs are continually placed 'under' authorities like the CFO, the COO, the CEO, ad infinitum, ad nauseum . . I found a paper by Rebecca Herold that clearly states (and logically so) how the CISO should/must be independent and not have their authority hamstrung or shackled. (Now, I need to scan that work into my PC) . . or find a copy online.

keep thinking . . it may be a dangerous occupation, yet it is Now needed in cyber More than Ever,

Dr. Jan, DCS

(aspiring CISO)

Re: Are C-suite Executives our greatest risk?

dcontesti — Fri, 17 Oct 2025 09:54:24 GMT

@jbuitron agree with you.

Most do not see the entire picture and many think it is an IT issue. WRONG for so many reasons.

I have always found it amazing that Audit gets a seat with the Board but not Security. I suppose that comes from external Auditors pounding on tables and pointing to deficiencies.

If you find Rebecca's paper, would love to read it.

Regards

Re: Are C-suite Executives our greatest risk?

jbuitron — Fri, 17 Oct 2025 13:14:20 GMT

Hi dcontesti,

Rebecca Herold's work on Organization and Roles is within this edition of the Information Security Handbook available online at:

https://www.ic.unicamp.br/~rdahab/cursos/inf712/repositorio/ISMHandbook_toc.pdf

I have a copy of the .pdf attached. Please keep in mind that cybersecurity/Information Security papers regarding structure and operations that do not 'get old' like Microsoft Windows '95 does. Great Work is always Great work!

This ISC2 site won't allow me to upload the .pdf with just the article in it. Nevertheless, it is in the handbook at the link.

This was the first paper that I found when I was starting the Norwich U., MSIA in 2008. It STILL RINGS TRUE.

best regards,

Dr. Jan F-B., DCS

CISSP, C-CISO

Re: Are C-suite Executives our greatest risk?

ervinfrenzel — Fri, 17 Oct 2025 13:51:52 GMT

Ok, So let's recognize we are talking about two separate types of security - IT Security is just that security that deals with IT I'm including a pic to assist. The reason it is important to recognize is that ISACA and such state Cyber is a sub-component of IT Security which is a sub-component of IT which is an enabler for the business. Effectively we are fighting the colleges of business on this one (which I am totally good for). I realize we are not ISACA, but many of the leaders in business have subscribed to those philosophies and ones like them. When I wrote my exegesis - I spelled these out. Since then I have simply created a chart to help folks (mostly students) understand - there is a place within business for IT security, and IS security, and secure software development - but this fight has been going on for some time. We have to recognize that IT absorbed IS, or most of its functions in the early 2000's - and the terminology IT now means something different to business than it does to technologists. In business it means all of the technologies used to regulate their organizational technology - effectively everything. In technology it is the hardware and software used by technologist to keep the organization going.. It's a subtle difference, but one just the same.

Remember if we want to properly address the problem, we need to address it properly. We need to recognize that all of us are not cyber practitioners. Some are technology specialist (which are as important if not more so at times), some are people specialists, some are process specialists. Bottom line is cyber is not an individual sport, it is a team event - it takes everyone together to make it happen. From the listing above, all of the components are necessary to create a defense.

At least if they are referring to it as "IT Security" and they understand it from the technologist point of view, we have hope to educate them about other securities and make an organizational change.

Ervin Frenzel, PhD

Cybersecurity Leadership

CEI, CCISO, CISSP-ISSAP, CISSP-ISSMP, ECSA