There has always been a divide between what the boss and the rank and file know about the business. But when it comes to security, that divide can be fatal.
A new survey from the Ponemon Institute that was conducted in Great Britain on behalf of IBM illustrates many of the management challenges that security professionals routinely have to deal with on an everyday basis. The survey of 115 C-level executives found that while CEOs generally deem security to be important, their grasp of the security threats facing the business is not all that deep.
Specifically, the survey shows that there is a significant gap in the confidence of CEO and other C-level executives in terms of whether the organization will suffer a major security breach in the coming year, and perhaps more importantly, how often their systems are attacked. Perhaps worst of all, confidence in their existing security systems means that there are a lot more CEOs that think their security systems are adequately funded than there are that don't.
Dave Grant, director of security and compliance solutions, says a big part of the problem is that far too many IT organizations are overly invested in perimeter security products that, once compromised, leave the entire organization open to attack. What's required, he said, is more focus on securing data within the application layer, starting when applications are first built and delivered. Trying to layer on security after the fact is what is making security so costly and inefficient, he added.
Grant says that IT executives should take some comfort in the study, given the high level of value that CEOs place on security. But it's also clear that CEOs don't want to become particularly involved in the process, which means that when it comes to data security, IT organizations can still pretty much expect to be on their own.