December 9, 2015 | Security and Risk | John Worrall
Earlier this year, thousands of corporate executives from leading global organizations convened in Switzerland for the World Economic Forum. Cyber security was among the key discussion topics. According to The National Cybersecurity Institute’s synopsis of the discussion, “All agreed that cyber security is a mainstream business concern now. Alliances, information sharing about attacks, and combat measures are increasing. CEOs and world leaders are paying attention now. They are realizing that significant attacks pose an enormous threat to profitability and reputation.”
It’s encouraging to see reports of heightened cyber security awareness, but there is still work to be done for better alignment between enterprise CEOs and their IT security teams. This is underscored by our newly released survey, “The Gap Between Executive Awareness and Enterprise Security,” which found that 69 percent of IT security professionals believe cyber security is too technical for CEOs and 53 percent of CEOs make business decisions without regard to cyber security. The independent study, conducted by Dimensional Research, surveyed 304 global IT security professionals to determine how they view CEO leadership on cyber security issues, in order to drive productive conversations that prioritize enterprise security. The findings show that IT security practitioners increasingly believe they need greater cyber security leadership from their executives.
IT security professionals rely on executive level leadership on security issues, and CEOs increasingly rely on their IT security teams to provide the security information that matters. The survey shows that the cyber security awareness gap may be driven in part by the need for security teams to properly inform CEOs about what’s business critical when it comes to security.
Today, one-third of CEOs and 43 percent of management teams are still not regularly briefed on cyber security issues and related business risks. While 59 percent of respondents stated that threat detection metrics are the most effective for measuring security program effectiveness, 79 percent simply provide compliance and audit findings to their CEOs and executive teams to demonstrate security effectiveness.
Compliance does not equal security. It can lull a CEO into a state of complacency because all it demonstrates is a simple checking of a box without context for responsible levels of information protection.
Security professionals need to arm their CEOs and executive teams with information such as threat detection and risk metrics versus compliance and system availability. This can also help organizations to prepare for 2016 initiatives. Of note, endpoint security and privileged account security were cited as the top two organizational security priorities for the coming year. The C-suite will want to understand these priorities, so it will be important to share related and appropriate metrics.
The full survey is available here. For tangible guidance on how to build effective cyber security programs, download and read “The Balancing Act: The CISO View on Improving Privileged Access Controls.” This report features advice from a panel of CISOs from global 1000 enterprises about how to lead a comprehensive privileged account security program including recommendations for getting executive buy-in, delivering metrics that matter, and measuring effectiveness of the controls. The report is available for free at https://www.cyberark.com/cisoview.