We released a new independent survey today that examines how security is looked at within an organization from both the points of view of the CEO and the CISO (or the C-level execs) with oversight of security. The survey highlighted several discrepancies between the two groups on how they view threats and their organization’s ability to affectively mitigate them. Some of these are understandable. The CEO is obviously further removed from the specifics of the threats and defenses that have been established to thwart them than the CISO. However, the one data point I am having a difficult time comprehending is the apparent lack of interest in security from the top executive.
The survey found that there is a clear lack of communication between the offices of the CEO and CISO as more than 36 percent of CEOs said that the CISO never reports to them on the state of IT infrastructure security. Let that sink in for a moment. With all of the cyber threats that are reported on a weekly, monthly and annual basis, 36 percent of CEOs don’t deem it necessary to get a security briefing from the member of their executive team who oversees security.
Add in the fact that only 15 percent of CEOs were very concerned about their network being attacked and it starts to paint a picture that perhaps CEOs are out of touch or not as concerned with cyber security as they should be based on the potential consequences involved. Even when the topic turned to the welfare of the business, an area that lands directly at the door of the CEO, 65 percent said they did not have sufficient data to interpret how security threats translate to overall business risk. Personally, I can’t imagine many boards being comfortable with that type of response.
So which is it? Do CEOs have such confidence in their security teams that they don’t feel the need to involve themselves, or are they simply not interested? Perhaps it stems from a lack of understanding how cyber risks have the potential to impact the business as a whole? However, no matter the reason security has not gotten the attention it deserves in the past, these findings tell us that there needs to be significant change in the way top executives view security as it relates to day-to-day operations. Security and continual risk assessment need to be woven into the fabric of operational reviews and become an ongoing discussion in the boardroom.