dc.description.abstract | Digitalization has transformed nearly all businesses in the last decades and more businesses
rely on digital solutions to survive. With this change cybersecurity has become even more
important and it is now important that cybersecurity is also viewed as a strategic investment
rather than only technological. Many organizations today are still not aware of the risk their
organization faces in the cyberfield and how they can mitigate these risks. The CEO together
with the board is ultimately responsible for the information security in the organization. It is
therefore important that the CEO together with the top management is aware of cyber related
risks and can make smart decisions together with the top management protecting the
organization's goals and assets.
This master thesis looks into the top management involvement in cybersecurity and how to
get the top management more involved in cybersecurity in order to mitigate the risk of
cybersecurity threats. The CISO (Chief Information Security Officer) role became apparent
as a possible solution for spreading knowledge and awareness, making top management
understand the importance of their involvement in cybersecurity. Throughout this thesis we
aimed to answer three research questions:
“Has it become more important that top management involve themselves in cybersecurity?”,
“Who should have the overall responsibility of cybersecurity in an organization?”, and
“How can a CISO help improve an organization's cybersecurity overall?“
○ “What should be the CISO’s responsibilities?”
○ “Where in the organizational structure should the CISO be placed?”
The last research question was divided into two sub-question for better clarification.
In this thesis a qualitative research method was used, including a systematic literature review.
A total of nine interviews were conducted with one information security leader, four CISOs,
two CEOs and two information security experts. The systematic literature review showed that
the field is understudied and that studies previously done, mostly propose academic solutions
or models for mitigation of risk. Some studies found during the literature review were still
relevant and supported the data found in the interviews of this thesis.
The interview respondents all had some experience in the field of cybersecurity and all of the
interviews produced relevant data. Towards the end of the study two cybersecurity experts
were contacted to see if they agreed or disagreed with the research findings and by doing so
triangulated our data. The findings from the interviews indicated that the top management
needs to involve themselves in cybersecurity, know about the organization’s important assets
and be aware of cybersecurity threats. Another finding was that the CISO role can help the
top management be more involved in cybersecurity. A CISO that can communicate
cybersecurity strategies, risks and awareness in a good, understandable way will enable the
top management to more easily take correct and important decisions related to cybersecurity.
The placement of the CISO role in an organization was the only subject where the experts
and other interview candidates had slightly different opinions, however all agreed that the
CISO should have a clear communication path to the top management. Overall, the results
from our study supported the research statement: “It is crucial that top management gets
involved in cybersecurity in order to properly secure an organization.”. Showing that it is
crucial that decision makers (top management) have the best knowledge possible for making
cybersecurity related decisions in an organization. This can help them make the correct
decisions regarding funding, strategies, measures and other decisions related to cybersecurity,
and therefore also better protect the organization from cybersecurity threats. It is clear that
the CISO most definitely should have the possibility of direct communication with the CEO
and the top management. Furthermore, the CEO and the top management getting involved in
cybersecurity is absolutely necessary for the organization to secure themselves against
cybersecurity threats as they possess the knowledge about the important assets of the
organization. | |