When C-level professionals don’t know nearly enough about common security threats, the whole company is at risk.
This many years into the digital era, it’s not exactly news that technology security isn’t only a technology concern—it’s an employee issue, a companywide focus, a boardroom priority. That last one is particularly important. It should be safe to assume that given the budget outlays involved (and the potential threats to the infrastructure) every C-level executive is at least well aware of the value in IT, and remains cognizant of the dangers. Or not.
A pair of recent Nominet studies surveying C-Level executives goes past the data sets, innovation and automation to examine a more neglected constituency: the people, those launching attacks and those responsible for stopping them. In this context, the Chief Information Security Officer (CISO) makes for a perfect prism. This is a dynamic role that balances technology with business, people with processes, budget allocations with bottom-line concerns, and advocacy with diplomacy. Perhaps, most importantly, it illustrates the executive suite’s familiarity with the technology threat matrix. Or, to put it more accurately, the lack of familiarity.
The research polled 400 C-suite executives in the US and UK, and here’s a sampling of the results:
- 78% of the executives surveyed admit to gaps in their knowledge about malware
- 68% concede to knowledge gaps about phishing
- 66% need to learn more about ransomware
- 72% don’t know much about crypto mining
These are not abstract concepts: Ransomware has become such a potent strategy that entire cities are paying out ransom money to get data back, rogue nations are deploying malware to cripple critical infrastructures, and many attacks with profit motives start with phishing and then use malware to infiltrate the network. These are all very real and very serious threats to every company—and the fact that there’s such a widespread lack of knowledge is unquestionably troubling.
Of course, it’s not only about numbers. What we’re learning is that there’s still a major disconnect between IT-specific functions and the rest of the enterprise, and that’s a big problem. The right technologies and related assets—data, skills, processes and more—can propel every organization to new heights, yet even a tiny vulnerability can be exploited by hackers so effectively that it devastates the brand and the bottom line. This is what makes the CISO role so important, and so stressful-it’s intricately intertwined with all other operations, yet also an island unto itself.
The disengagement can have problematic consequences. Given the frequency of headlines about data breaches, is the IT security function adequately funded? A staggering 90% of CISOs believe they lack at least one resource needed to defend against a cyberattack, and 59% believe they lack advanced technology. That’s one reason why nearly 70% report finding malware hidden on their networks for extended periods, even up to a year.
On a related note, 60% of these security specialists say they feel the board understands the inevitability of a breach, but a third still expect to be fired or disciplined if and when that happens. And even apart from the knowledge gaps, there’s confusion about fundamental defense protocols: 33% of CEOs say they would fire the person responsible for a data breach, but it’s an open question who needs to handle that; 35% believe the CEO should manage the response, while 32% say it’s the CISO.
That’s the backdrop for these findings:
- 91% of CISOs suffer moderate or high stress
- 60% rarely disconnect from their jobs
- 25% say the job has affected their health and personal relationships
- Nearly 17% medicate or use alcohol to deal with job stress
- Less than a third stay in the job for more than three years
Again, the numbers serve only to illustrate very real problems. Stepping back from the statistics, we can identify some macro trends driving this turmoil. First, the expanding technology universe—more devices, apps, channels and capabilities—represent a much larger attack surface, and it’s only going to keep growing. Next, it’s a mistake to believe that the innovation we see on the part of the good guys isn’t matched by the sophistication of those on the other side with resources to match. Finally, there’s the sheer volume—every day we see new threat vectors carrying greater dangers. This is a moving target, and it’s moving fast.
Allocating more resources to IT security is part of the solution (more than half the executives questioned suffer from inadequate budgets) and it would also help to find more qualified people to staff security positions, which is a problem now. Having a security specialist on the management team could make a huge difference—right now, 70% say they want one, 6% say they have one. This alone would elevate security concerns inside the boardroom and perhaps persuade executives to heed warnings from the IT security department.
However, those are merely symptoms; the only way to address the true disease is by initiating a cultural change in the executive suite. Cyber security is not a standalone function that just happens to need more money or skills, or attention; it’s a strategic and business-critical priority that must be integrated into every other function rather than be assigned only to the CISO. That will usher greater knowledge into the boardroom, accelerate necessary policies and enforcement throughout the enterprise and secure all business operations. It would be nice if that transformation took place before the next massive breach.
Have you read?
# The World’s Top 100 Most Successful Unicorns, 2019.
# GDP Rankings Of The World’s Largest Economies, 2019.
# Most Expensive Countries In The World To Live In, 2019.
# Countries With The Highest Average Life Expectancies In 2030.