When it comes to security and reports like those I’ve just read, I have to wonder if CEO stands for Chief Executive Ostrich, because there are a lot of them with heads buried in the sand, ignoring reality.
Take this new study by Cyphort and Ponemon Institute, for example. The email announcement I received regarding the study warned that CEOs are “completely clueless” about cyberattacks on their company, with a little more than one third of respondents saying they are never updated about security incidents. Why aren’t they learning about the attacks? The report, which surveyed 597 IT leaders in the private sector, found that 39 percent said the company didn’t have the intelligence data available to present to CEOs and convince them of the security risk. In turn, not only are companies being attacked, but it is taking way too long to detect that attack, with nearly a quarter saying it can take up to two years.
This could be because C-level executives make productivity a greater priority than security, according to the newest report from Barkly. The study found that while IT professionals want to put more emphasis on security, only 27 percent of executives want to prioritize security. Another big disconnect between IT and executives when it comes to security: The C-level suite thinks more software is the solution to improved security while IT professionals want to bump up employee education. The most ironic result of the survey was that IT pros say the uninformed employee is the network’s biggest threat while executives say it is insider threats. It’s almost like comparing green apples and red apples, isn’t it? But it does show that there is a serious lack of communication and understanding when it comes to security. As Jack Danahy, co-founder and CTO of Barkly, said in a formal statement:
This report proves that from the CISO to the entry-level IT pro, organizations must be better aligned when it comes to security. When there's a disconnect in priorities, level of understanding and measurement, even a seemingly strong security initiative is destined to fail. Once teams understand each other's priorities and concerns around security, they can implement the tools they really need, that will best protect their endpoints from ever-increasing, complex threats.
Getting C-level executives and enterprise decision makers to take security more seriously is not going to be an easy task, but eSecurity Planet provided some suggestions on how CISOs can present security to decision makers. I think these suggestions can trickle down to anyone who is charged with security monitoring and has trouble convincing the bosses about its importance. The best tidbit of advice came from Ray Espinoza, vice president and global head of security for Proofpoint:
Keep it simple. Use analogies. You want to use examples to humanize the information. The most relevant examples will be those involving similar companies in similar industries.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.