The Exec-Disconnect on IT Security

Different Chiefs give Different Security Stories.

A recent survey shows that there is a wide gap between CEOs and Chief Security Officers when it comes to the origin and seriousness of security threats.  They differ on how they view threats to IT Infrastructure  and remain far apart on how to best address an issue that according to analyst reports, costs organizations more than $30 billion annually.  The survey of 100 CEOs and 100 CISO (or other C-levels with security responsibility), shows that the discrepancy is often due to lack of communication.  36% of CEOs said that they never get a security report from their CISO and only 27% receive updates on a regular basis.  Is it the CISO that doesn’t report back or the CEO that is not interested?  Let’s look at some more data.

The CISO felt that the biggest threat was from internal (their employees) due to lack of education and attention while the CEO felt that the biggest threat was from the outside, such as phishing attacks.   Thus, 61% of CEOs said they did have enough time and resources to adequately train the staff on how to mitigate threats while Only 27% of CISOs felt the same.  It’s opposite day.  When asked if their IT systems were ‘definitely’ or ‘probably’ under attack without their knowledge, 58% of CISOs said yes while only 26% of CEOs agreeing.  The chasm grows.  What percentage of each, do you think, said they were very concerned about their IT systems getting hacked?  30 seconds on the clock, please.  Don’t peek.  Only 15% of CEOs and ‘only’ 62% of CISOs are anxious about breaches.  15%?  That’s it?  Maybe they have great confidence in their security team…or, they don’t have the information.  65% of CEOs admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.  Wow, the very day-to-day operations.  Granted, the CEO is further removed from the specific threats and how they are handled but there is clearly a distance between how each views threats and the company’s ability to successfully mitigate them.

Lack of interest or lack of understanding/information?  Probably both.  An old adage was that a great boss hired people who were good at the things he/she wasn’t so good at.  Surround yourself with those who know their areas better.  Or maybe there is a culture that you don’t alert the top unless it’s dire, critical or unstoppable.   Communication or interest, it is evident that the C-suite isn’t really talking about these critical business issues especially when 3 times as many CEOs worried about losing their jobs following an attack than did CISOs.

ps

References

• SECURITY: A LACK OF CEO INSIGHT OR CEO INTEREST?
• CEOs Lack Visibility Into Origin and Seriousness of Security Threats
• Talking About Security Bores the Boss, Survey Shows
• Myth or Fact? Debunking 15 of the Biggest Information Security Myths
• The CEO/CISO Disconnect Infographic