I have long been a strong proponent of educating employees about network security. By educating, I mean using good, clear communication. You must make sure the employees truly understand the dangers and risks rather than just assuming they know what you’re asking them to do. I admit, though, that when I think about who is involved in this scenario, I’m thinking of the worker bees and lower management. I did not realize that apparently there is a communication gap between IT and C-level staff that can lead to huge security problems.
A new report from the Ponemon Institute and Tripwire called “Are Security Metrics Too Complicated for Management?” finds that executives and their IT security staff in the U.S. and the UK don’t always see eye to eye when it comes to security risks. Or perhaps, the more appropriate way to explain it is that meaningful communications about cyber security are often written in terms that are above the understanding of even management. As an article in Quartz put it:
According to the report, explanations about cyber security threats by IT workers get lost in translation in dialogue with corporate managers. ‘Finding meaningful ways to successfully bridge this communication gap is critical to broader adoption of risk-based security programs,’ the report says. ‘The onus for this effort clearly lies with IT security and risk professionals.’
In other words, what this report found is executives and IT don’t speak the same language, with the vast majority believing that the information is too technical for executives to understand. But, the IT people interviewed for this survey provided another reason why security information isn’t getting to executives: IT has more pressing things to do than interact and share information with the executive team (48 percent of American respondents and 42 percent of UK respondents). I had to read that finding several times because it surprised me. But the report went on to state:
In fact, 40% of the respondents in the U.S. and 43% in the U.K. say they only communicate with executives when there is a security incident–the least conducive time for constructive communication.
The report should be eye-opening to both IT and executives. While the survey talked to the people on the IT side of the coin, it would seem this lack of communication is driven by the IT department. There is a sense of superiority as well as a turf war (as in, “We aren’t going to tell you what’s going on until we have to because this is our territory.”) among many of the IT respondents and their upper executives. The report also reveals why other employees are in the dark about security. After all, if IT can’t or won’t communicate with their executives, should we expect them to effectively communicate security concerns with the administrative assistants?