Oracle - Exec Summary

THE C-SUITE, THE BOARD AND CYBER-DEFENCE

HOW A PROACTIVE C-SUITE CAN REDUCE CYBER-RISK FOR THE ENTERPRISE

Cyber-attacks are becoming a threat to the health—if not the survival—of the enterprise. What can C-suite executives and board members do to protect their firm? Research conducted by The Economist Intelligence Unit (EIU), sponsored by Oracle, shows that certain firms are able to consistently demonstrate success in reducing breaches across all major forms of cyber-attack. Increase in attacks over past two years 42%

Average growth over two years

39%

21.1%

30%

Unsuccessful companies 24% 17%

23%

9%

Successful companies

10%

6%

6% 2%

Hacking

9.8%

18%18%

18%

Ransomware

Public disclosure

Malware

Corporate espionage

Average reduction of

6%

4%

Government espionage

Customer data

53 %

in the rate of growth of major cyber-attacks

Financial theft

What are steps the C-suite/board can take to reduce the firm's vulnerabilty?

1

2

Adopt a proactive data defence strategy

Comparative engagement of the board

Top priority of the C-suite/board in successful companies 32%

Supporting a proactive security strategy

Recruit security personnel Ensure financial support

Balance security with productivity Collaborate with external entities Support security across silos Security crisis management

22%

17%

Building security culture Security programme oversight

Provide C-suite/board support of the strategy

11%

9%

9% 8% 6% 4% 4%

This is not the passive, ‘firewall perimeter’ defence. Instead, a proactive strategy that mobilises the workforce, engages customers and suppliers, and anticipates potential threats.

46%

C-suite/board feels it gets sufficient information

21% 33%

13% 45%

C-suite/board has necessary expertise in data security

14% Standing board committee on data security

27%

Security factored into board strategic decisions

Why is the C-suite/board so critical? Because defence is no longer an “IT project” – it is a multi-point strategy that requires the authority of the C-suite/board to make it work.

SPONSORED BY

Firms with higher growth in cyber-attacks (+21.1%) Firms with lower growth in cyber-attacks (+9.8%)

EXECUTIVE SUMMARY | PAGE 1

THE C-SUITE, THE BOARD AND CYBER-DEFENCE

HOW A PROACTIVE C-SUITE CAN REDUCE CYBER-RISK FOR THE ENTERPRISE What are steps the C-suite/board can take to reduce the firm's vulnerabilty?

3

4

Break down the silos and

build common standards

Level of success in breaking down silos*

36%

Less successful

Get the workforce engaged

Comparative employee involvement Our employees support our security programmes

72%

54% 73%

Our employees comply with our security policies

More successful

Our employees receive sufficient security training

Successful firms are almost twice as likely to have been successful in breaking down organisational barriers to security. This allows them to build a common security standard and promote it across the organisation.

42% 62% 28% 51%

Employees are the largest source of breaches. Engaging them—through training, communication and incentives—is a priority. It takes the C-suite and the board of directors to make this happen.

*% of respondents who said they were successful + very successful breaking down silos.

5

Centralise management of security operations

We can train and

repurpose our existing

personnel in security

61% 81%

More successful firms

Companies with lower breach rates have centralised their security, allowing common standards, controlled detection and concentration of expertise. It can also lower costs.

Grow your own people as security experts

Comparative employee involvement

Firms with centralised/hybrid management of data security

Less successful firms

6

23% Less successful firms

54% More successful firms

All companies face the global shortage of qualified security personnel. The successful companies are those that meet the challenge by training up their existing personnel and building their expertise in-house.

SPONSORED BY

Firms with higher growth in cyber-attacks (+21.1%) Firms with lower growth in cyber-attacks (+9.8%)

EXECUTIVE SUMMARY | PAGE 2

THE C-SUITE, THE BOARD AND CYBER-DEFENCE

HOW A PROACTIVE C-SUITE CAN REDUCE CYBER-RISK FOR THE ENTERPRISE What are steps the C-suite/board can take to reduce the firm's vulnerabilty?

7

8

Engage third-party experts where necessary

How important are third-party vendors in providing the following security services? (Important and very important)

69%

25%

20%

19%

Conducting independent security audits

% answering data security budget as sufficient

53%

48%

39%

Providing early warning/alerts

Provide the funding

that is needed

Less successful firms

Conducting independent probes and tests

67%

More successful firms

Cyber-attacks increased by 38% in 2015, yet most security budgets are increasing by less than 10%.

Third-party security vendors add three elements to successful security: • Source of scarce expertise • Independent view for monitoring and audits • “Lateral vision” and early warning in emerging cyber-threats. Successful firms engage them at more than twice the rate of unsuccessful ones.

Only the C-suite/board can make the decision to allocate scarce budget and resources to their cyber-defences.

Companies that execute this strategy with the backing of the C-suite/board are also more confident in their current security situation and in their future defence against cyber-attack. They have confidence in their current capacity to fight cyber-crime.

36% 50%

They rate themselves highly against their peers.

They have much higher levels of confidence in their future ability to meet the challenge of cyber-attacks.

Firms rating themselves leaders in cyber-security

% answering confident or very confident

26% 56%

41%

67%

SPONSORED BY

Firms with higher growth in cyber-attacks (+21.1%) Firms with lower growth in cyber-attacks (+9.8%)

EXECUTIVE SUMMARY | PAGE 3