Only a third of CIOs cite cyber-risk mitigation as a performance measure