All News & Insights

ML Journal August 2022

POV: Making Cyber Responsibility Clear

The good news from MLC’s new cybersecurity survey is that more manufacturers than ever before — 62% in fact, according to the study — have put in place formal cyber plans and strategies to defend their companies against increasing numbers of cyber attacks.

That’s a big and welcome change from just four years ago when just slightly more than one-third had such plans in place. And there was even more good news from the new survey: manufacturers are also growing their internal cyber competencies, providing more cyber training to employees, and even availing themselves of such measures as cyber insurance.

The one area, however, that is still cause for some concern is at the organizational level. When asked who is in charge of cybersecurity efforts, again this year the picture that was painted was one of diffused, or scattered, responsibility. Half of survey respondents indicated that their head of corporate IT is in charge of cyber in their companies. Another 28% said it was their Chief Information Security Officer, 25% said it is a dedicated IT/OT team, and another 17% indicated it is their head of manufacturing. Only 15% of this year’s survey respondents said they have a dedicated Chief Cyber Security Officer (respondents were instructed to answer the question by checking all that applies).

Even allowing for different size, complexity, and culture, organizational responsibility for cybersecurity has long been slippery in manufacturing companies. This is due, in part, to the technical nature of cyber, including whether IT or OT systems are involved, as well as the relative newness of the discipline itself.

In some ways, the current situation reminds me of the debate in the 1980s with the then-new role of the Chief Information Officer. Back then, CIOs struggled with getting their corporate footing, particularly with the C-suite and getting a seat at the so-called leadership table.

A recent study entitled “Security and the C-Suite: Making Security Priorities Business Priorities”, conducted by the Ponemon Institute for LogRhythm, sheds light on the organizational problem, particularly lines of reporting. The study says that 93% of cybersecurity professionals polled in the U.S., EMEA, and Asia-Pacific are not reporting directly to the CEOs of their companies.

“In fact, on average respondents are three levels away from the CEO which makes it very difficult to ensure that leadership has an accurate and complete understanding of security risks facing the organization”, the study said.

It may only be a matter of time before issues of who is responsible for cybersecurity and who that person should be reporting to in order to ensure as full as possible an organization-wide understanding of cyber risks and remediations are resolved.

But a better approach may be a proactive one, driven by the C-suite, to make cybersecurity responsibility as clear as possible. Clarity is a necessity in a time of rising frequency and sophistication of attacks. – David R. Brousell

View More