The document summarizes the findings of a survey of over 700 C-suite executives from 29 countries and 18 industries regarding their perspectives on cybersecurity. Some key findings include: 75% of CxOs believe a comprehensive cybersecurity program is important; however, over half may be overstating the likelihood of a significant cybersecurity incident. Additionally, while CxOs acknowledge some risks, they understate risks from insiders and overstate risks from external threats. The C-suites were clustered into three groups based on their cybersecurity effectiveness: not prepared, progressing, and cybersecure. The cybersecure C-suites were more likely to have robust cybersecurity governance and collaboration.

1. ©2015 IBM Corporation1 18 February 2016
Cybersecurity perspectives from the boardroom and C-Suite
Securing the C-Suite
Carl Nordman, IBM Institute for Business Value
Diana Kelley, Executive Security Advisor, IBM Security

2. Today’s panelists
Carl Nordman
Research Director
IBM Institute for Business Value
https://securityintelligence.com/author/carl-nordman/
https://www.linkedin.com/in/carlnordman
Diana Kelley
Executive Security Advisor
IBM Security
https://securityintelligence.com/author/diana-kelley
https://www.linkedin.com/in/dianakelleysecuritycurve

3. Why survey the C-Suite on
cybersecurity?
Cybercrime is an insidious threat that has reached crisis levels. Though hard to
quantify with precision, estimates of the cost of cybercrime to the global economy
may range from $375 billion USD to $575 billion per year.
• Reputational damage, financial loss, national security concerns, loss of
intellectual capital, to name just a few, characterize some of the risks the C-suite
is taking serious notice of
• Historically considered a technical issue within the domain of the IT department,
security is now a central topic within operations, across the C-suite and elevated
to the board level
The objective of this study is to gain a perspective on Cybersecurity through the
lens of the executive suite to gauge their level of understanding and engagement
with cybersecurity risks and practices and contrast that against CISO concerns
and known issues uncovered by Security experts.

4. ©2015 IBM Corporation 18 February 20164
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
Agenda

5. ©2015 IBM Corporation 18 February 20165
We surveyed over 700 C-suite executives in 29 countries,
across 9 roles, representing 18 industries
Q4 . In what country is your enterprise headquartered? Select one.
IBM Confidential
Sample Size 702
North America
Central and
South America
Western Europe
Middle East
and Africa
Central and
Eastern Europe
Asia Pacific
Japan
24%
24%
12%
4%
17%
12%
7%

6. ©2015 IBM Corporation 18 February 20166
Data was collected using a survey with 20 questions for all
C-suite participants and an additional 3-5 specific to each role
Questions asked
across
C-suite roles
CEO
CHRO
! 5 Demographic
! 5 Risk awareness
! 5 Capability and
preparation
! 5 Governance
Role Specific Examples
! Cybersecurity importance relative to
other strategic issues
! Willingness to share information
(internally and externally)
! Deployed employee education
! Protected critical employee personal
sensitive data
CFO/CRO
! Degree security is incorporated into
ERM plans
! Protected critical financial and risk
data

7. ©2015 IBM Corporation 18 February 20167
Industry
There is a balanced representation across company size,
industry and C-suite role
Over $10B
$500M - $1B
$1B – $10B
5%
45%
15% Chief Executive Officer
Chief Financial Officer
Chief Information Officer
Chief Marketing Officer
12%
Chief Human Resource Officer
Chief Legal/Compliance Officer
Chief Risk Officer
Chief Operations Officer
4%Chief Supply Chain Officer
13%
13%
13%
13%
12%
12%
8%
Company size in $USD
annualized revenue
C-suite role
Under $500M 35%
Sample Size 702

8. ©2015 IBM Corporation 18 February 20168
Agenda
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond

9. ©2015 IBM Corporation 18 February 20169
IBM’s 2015 Global C-Suite study revealed IT security risks
have risen to become a top concern
IBM 2015 C-Suite Study: Source: Q1.4 Which of the following technologies will revolutionize your business in 3 to 5 years? [Rank up to 3] cut by Q2.3 Which of the following risks do
you think may occur in 3 to 5 years as a result of the technology you ranked #1 in question 1.4? Rake-weighted n=5247
This is a marked change from just two
years ago, when security concerns
made just a blip on their radar screens.
Disruptive technologies where IT Security
risk was selected as #1 Top Concern
• Mobile solutions
• Cloud computing
• Smart, connected (IoT)
• Cognitive computing
• Advanced manufacturing technologies
• Man-machine hybrids
Greatest risks with emerging, disruptive technologies

10. ©2015 IBM Corporation 18 February 201610
CxOs’ consistent IT risk concerns across both studies masks a
prevailing issue that legacy vulnerabilities still remain high
The latest “technologies du jour” such as
mobile are capturing more Executive level
attention, despite the fact that there are,
currently, fewer known incidents through
these channels than others (e.g. legacy
applications, vendor/partner system
integration points, network security).
Admittedly, legacy infrastructure
vulnerabilities remain a top of concern for
all. They are exacerbated by emerging
technologies (e.g. API Security).

11. ©2015 IBM Corporation 18 February 201611
Response
Seventy-five percent of CxOs believe a comprehensive
cybersecurity program is “important to extremely important”
Prevention
Detection
Remediation
76%
74%
78%
77%
Q12 . How important are the following elements of a cybersecurity plan in each of the areas described below? Please rate each
item below on a scale of 1 to 5, with 1 being “Not at all important”, 5 being “extremely important”, or “Don’t know”.
Sample Size = 691
% of C-suite indicating cybersecurity
plan components are important to
extremely important
Weighted average response for
whole cybersecurity plan is
important to extremely important
75%

12. ©2015 IBM Corporation 18 February 201612
Greater than 75%
On average the C-suite may be overstating the probability of a
significant cybersecurity incident occurring at their company
Already happened
It’s inevitable
50%-75%
8%
1%
6%
C-suite view of the probability of a
significant cybersecurity incident in
the next 2 years
C-suite weighted average view of the
probability of a significant cybersecurity
incident in the next 2 years
38%
Q9 . What do you believe is the probability of a significant Cyber Security incident affecting your enterprise in the next 2 years? Note,
“significant” is defined as an event that would cause a material disruption to operations, customers, vendors. Select one.
1: 2015 Cost of Data Breach Study: Global Analysis. Benchmark research sponsored by IBM, independently conducted by Ponemon
Institute LLC, May 2015.Page 20, figure 15
Sample Size = 702
Over 0% to 25%
25%-50%
0% probability
23%
51%
5%
6%
The 2015 “Cost of Data Breach
Study” estimated the probability
of a breach resulting in the theft
of 10,000+ records over 2 years
to be about 22%1
probability

13. ©2015 IBM Corporation 18 February 201613
Half or more of CxOs acknowledge the risks of industrial
espionage and organized crime but understate others
50%
32%
26%
54%
Riskiest threat actors selected by
C-suite respondents
Current/former vendors
Foreign governments
Organized crime groups
Competitors outside industry
Domestic government
Organized terrorist groups
Rogue individuals
Current/past employees
Competitors in industry
19%
17%
23%
70%
Q7: Rank the top three entities that you believe represent the most significant threats to Cyber Security for your enterprise, with 1 being
most significant.
1: UNODC Comprehensive Study on Cybercrime 2013
2: IBM 2015 Cyber Security Intelligence Index - https://securityintelligence.com/economic-espionage-the-global-workforce-and-the-
insider-threat/
Sample Size = 702
8%
• 80% of material threats arise from
organized crime groups1
• 31.5% of data breaches are
attributable to malicious insiders
(employees, contractors, vendors)2
• 23.5% of data breaches are due to
inadvertent actors, (insider errors,
non-adherence to policy )2
On average, they overstate the risk
from Rogue actors and understate the
risk from employees, foreign
governments and industrial espionage

14. ©2015 IBM Corporation 18 February 201614
Agenda
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned the most prepared
Recommendations: C-suite considerations for 2016 and beyond

15. ©2015 IBM Corporation 18 February 201615
While a majority of CEOs agree more collaboration is needed
with government, industry and across borders, more than two-
thirds are unwilling to participate in that collaboration
CEO agreement with need for external
collaboration with various groups
CEO reticence to participate in sharing
incident information with them
Q2 – CEO: To what extent are you willing to disclose Cyber Security incidents with the following stakeholders on a scale of 1 to 5 with 1 being not at all and 5
being extensively. Externally = Vendors, Regulators, Industry Competitors, Third Party Security Experts
Q3-CEO: On the following Cyber Security related actions, please indicate if you agree or disagree with each statement
Sample Size = 87

16. ©2015 IBM Corporation 18 February 201616
On average the C-suite appears highly confident in the
veracity of their cybersecurity plans
% C-suite respondents by role that
report the cybersecurity strategy of
their company is well established
70%
66%
63%
76%
59%
55%
51%
61%
77%
CEO
CMO
CIO
CHRO
CFO
CLO
CRO
CSCO
COO
C-suite average response that
the cybersecurity strategy of
their company is well
established
65%

17. ©2015 IBM Corporation 18 February 201617
In light of responses on the degree of C-suite engagement on
cybersecurity issues, that confident view starts to erode
% C-suite respondents by role that
report they are very engaged in security
threat management discussions
% of C-suite highly
engaged in
cybersecurity threat
management
40%
% of C-suite agree
cybersecurity plan
incorporates C-suite
collaboration
31%
56%
48%
45%
56%
43%
41%
38%
43%
57%
CFO
CMO
CIO
CRO
CHRO
CEO
CSCO
CLO
COO
High
Engagement
Low to No
Engagement
44%
52%
55%
44%
57%
59%
62%
57%
43%

18. ©2015 IBM Corporation 18 February 201618
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
Agenda

19. ©2015 IBM Corporation 18 February 201619
Methodology to cluster effectiveness of C-suite on Cyber
Security across 7 factors
3 Strategic components:
Q10.1 Evaluating potential security issues across all initiatives (C-Suite collaboration)
Q10.2 Indentifying critical enterprise data (the Crown Jewels)
Q10.3 Developing an effective response plan in the event of a breach (internal &
external)
4 Tactical components:
Q13.1 Prevention: Having necessary prevention practices and tools in place
Q 13.2 Detection: Deploying continuous monitoring & detection tools
Q13.3 Response: Implementing a comprehensive response plan
Q13.4 Remediation: Implementing remediation plans to strengthen security
We asked respondents how they have prepared strategically and
tactically along these factors and used responses to these
questions to see if clusters emerged, by capability.

20. ©2015 IBM Corporation 18 February 201620
An analysis of the responses to these specific questions
revealed three distinct clusters
Sample Size = 702
Q10. To what extent has your organization established and implemented Cyber Security plans and capabilities across your enterprise? Please
rate each item below [Strategic Plan, Data Protected, Response Plan ready] , on a scale of 1 to 5, with 1 “Not at all”, 5 being “Extensively”
Q13 . Considering your entire enterprise, how effective are current Cyber Security plans in each of the areas described below [Prevention,
Detection, Response, Remediation]? Please rate each item below on a scale of 1 to 5, with 1 “Not at all effective”, and 5 being “extremely
effective”

21. ©2015 IBM Corporation 18 February 201621
Companies with a “cybersecure” C-suite are more than twice
as likely to have a security office and have appointed a CISO

22. ©2015 IBM Corporation 18 February 201622
A “cybersecure” C-suite is more likely to be governed with
C-suite collaboration built into the plan

23. ©2015 IBM Corporation 18 February 201623
A “cybersecure” C-suite provides far more transparency and
communicates more with the Board of Directors

24. ©2015 IBM Corporation 18 February 201624
Overview: Approach and demographics
Context: The C-Suite view of cybersecurity risk
The collaboration factor: Governance and collaboration
Being cybersecure: Lessons learned from the most prepared
Recommendations: C-suite considerations for 2016 and beyond
Agenda

25. ©2015 IBM Corporation 18 February 201625
1. Understand the risks
2. Collaborate, educate and empower
3. Manage risk with vigilance and speed
A set of three recommendations emerged for the C-suite to
consider as they evolve their cybersecurity capabilities

26. ©2015 IBM Corporation 18 February 201626
Learn more about the study: Securing the C-Suite
Visit ibm.com/security/ciso to download the report

27. ©2015 IBM Corporation 18 February 201627
Learn more about IBM Security
countries where IBM delivers
managed security services
industry analyst reports rank
IBM Security as a LEADER
enterprise security vendor
in total revenue
clients protected
including…
130+
25
No. 1
12K+
90% of the Fortune 100
companies
Join IBM X-Force Exchange
xforce.ibmcloud.com
Visit our website
ibm.com/security
Watch our videos on YouTube
IBM Security Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity

28. ©2015 IBM Corporation 18 February 201628
Learn more about the IBM Institute for Business Value
For more information
To learn more about this IBM Institute for Business Value study, please contact
us at iibv@us.ibm.com. Follow @IBMIBV on Twitter, and for a full catalog of our
research or to subscribe to our monthly newsletter, visit: ibm.com/iibv
Access IBM Institute for Business Value executive reports on your mobile device
by downloading the free “IBM IBV” app for your phone or tablet from your app
store.
The right partner for a changing world
At IBM, we collaborate with our clients, bringing together business insight,
advanced research and technology to give them a distinct advantage in today’s
rapidly changing environment.
IBM Institute for Business Value
The IBM Institute for Business Value, part of IBM Global Business Services,
develops fact-based strategic insights for senior business executives around
critical public and private sector issues.

29. THANK YOU

30. ©2015 IBM Corporation