×

A survey of retail executives shows many retailers making progress toward strengthening their cyber risk management programs, though they (along with their peers in other industries) could still benefit from improved governance and engagement with business leaders.

It’s not easy being a CIO these days and having to shoulder much—if not all—of the responsibility for an enterprise’s cyber security. But that practice appears to be changing, albeit slowly, as more business executives begin to recognize that accountability for cyber risk cannot rest solely with the IT organization. The many high-profile breaches in recent years have shown business leaders that efforts to prevent, detect, respond to, and recover from cyber incidents require the collective wisdom and authority of executives across a range of functions.

This shift in perspective, from seeing cyber risk as an IT problem to treating it as a business issue, is taking hold in the retail industry, according to findings from a survey of retail executives conducted by Deloitte & Touche in 2014.¹ “Executives at major retailers increasingly regard cyber risk as part of the broader conversation about business risk,” says Alison Kenney Paul, vice chairman and U.S. Retail and Distribution leader for Deloitte LLP. “As a result, they’re starting to seek a broader approach to cyber security than they’ve used in the past, and our survey results back this up.”

For example, two-thirds of respondents are actively reviewing the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, and 21 percent are either already using it or planning to adopt it in the near future.

Despite ongoing concern about breaches, and the number of organizations seeking to align their cyber security programs with the business, retailers have more work ahead to increase executive engagement and improve cyber risk governance. Seventy-one percent of respondents cite a lack of sufficient funding as a primary barrier preventing their organizations from more effectively executing their cyber risk management programs. Kiran Mantha, a Deloitte Advisory principal with Deloitte & Touche LLP’s cyber risk services practice, says the high percentage suggests business decision-makers don’t see a financial justification for increasing investment.

Furthermore, just 37 percent of survey respondents say their organizations report to the board on a quarterly basis regarding their cyber risk posture, while 44 percent say their organizations never report on cyber risk to any business stakeholders.

To bolster executive leadership’s interest in and oversight of cyber risk, CIOs across industries can initiate the following steps:

Host a cyber risk heat-mapping session. Bring senior business leaders together with threat intelligence experts to identify the top areas of cyber risk for the enterprise. By literally highlighting top cyber risks, heat-mapping exercises serve to educate executives and spur dialog and decision-making regarding essential focus areas for the cyber risk program.

Establish key risk and performance indicators. When discussing cyber risk with the board and executive team, security leaders should highlight the most serious risks the business faces, the risk indicators that signal the company’s level of exposure to them, and the methods the company is employing to manage these risks and keep them within acceptable limits. “When tied to business risk, metrics and key risk indicators provide technologists and business leaders with a common language for discussing the state of enterprise security and technology risk,” says Mantha. “They also help executives make decisions about funding, priorities, and investment, while improving accountability for and alignment of the cyber risk program.”

Simulate a cyber incident. Organizations are increasingly turning to cyber war games and other simulations to test and practice their response to cyber incidents. These activities often accomplish several goals: They highlight the fact that cyber incident response is not exclusively an IT issue, but rather one that requires the collective capabilities of the CEO, legal counsel, the chief risk officer, and the head of public relations, among others; they help executives to see the impact a cyber incident can have on the business; they can surface an organization’s blind spots and weaknesses in its response capability; and they tend to make participants keenly aware of the importance of preparedness and the many, varied challenges associated with responding to an incident, according to Emily Mossburg, a Deloitte Advisory principal with Deloitte & Touche LLP and leader of its Cyber Risk Services’ resilience offering. “Due to their realism,” she says, “simulations often create an emotional hook that motivates participants to be more engaged in an ongoing cyber risk program.”

Scrutinize the security implications of new technologies. Companies across industries are looking to exploit the vast commercial potential of existing and emerging digital technologies by using them to create new products and services and otherwise find ways to engender customer loyalty. But just as these technologies spell opportunity, they also present a Pandora’s box of cyber risks that organizations need to actively understand and mitigate. “Security and innovation need not be mutually exclusive in retail or any other industry,” adds Deloitte LLP’s Paul. “For a security program to truly enable a business, reducing the cyber risks associated with strategic technology innovations needs to become a fundamental part of both the cyber risk and product or application development programs.”

*****

“To combat cyber risk, the tone really must start at the top, with the board, CEO, and CFO setting up effective governance and organization structures,” says Mantha. “Part of their mandate as senior leaders is to ensure all employees understand their role in helping to prevent cyber attacks. That includes endorsing creative initiatives (e.g., threat simulations or war games) that teach and reward responsible behaviors across the enterprise.”