Last month, thousands of corporate leaders from all over the world and from all types of industries met in Switzerland for the World Economic Forum. While there, they discussed a wide range of topics, including cybersecurity. As the National Cybersecurity Institute blog pointed out:
All agreed that cyber security is a mainstream business concern now. Alliances, information sharing about attacks, and combat measures are increasing. CEOs and world leaders are paying attention now. They are realizing that significant attacks pose an enormous threat to profitability and reputation.
That sounds encouraging. However, at the same time, it appears that CEOs are still disconnected from the cybersecurity-related actions and events within their own companies. According to a study by Raytheon and conducted by the Ponemon Institute, more than three-quarters of IT and security professionals admitted that their boards of directors have not been updated on cybersecurity concerns in the past year. Here, eSecurity Planet further explained the study’s findings:
The survey … also found that two thirds of respondents believe senior leaders in their organization don't view cyber security as a strategic priority, and just 14 percent said their organization's security leader reports directly to the CEO.
Talk about disconnect. On one hand, you have the CEOs who are saying all the right things about cybersecurity in public, but on the other hand, it is questionable as to whether or not they are following through on those statements. Is cybersecurity an enterprise priority or not?
It should be since it seems like each week brings a new high-profile breach. However, I believe there continues to be confusion and misconception on who should be responsible for enterprise data security.
Take this recent study by Kaspersky Lab as an example. It found that one in five businesses believe they should be protected against DDoS attacks by their IT service providers, and the smaller the company, the less responsibility they should take. As Evgeny Vigovsky, head of Kaspersky DDoS protection said in a statement:
By relying on IT services providers, many companies are putting themselves at risk. Vendors do not usually offer this protection as a default option.
While DDoS attacks are only one small segment of cybersecurity, I think the overall point of this study is valid. Enterprise decision makers still don’t know enough about the way cybersecurity controls work or are either misinformed or have misconceptions about who is in charge of cybersecurity within their company. Until C-levels and other business leaders have a clearer understanding of cybersecurity—namely how the attacks happen and where the security controls are within the company— this disconnect will continue, and all of the talk about improving cybersecurity efforts will never be put into action.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba