An interesting new study by CORE Security highlights a disconnect between the boardroom and the IT room in Corporate America with respect to how each view threats to IT infrastructure security. The study found that, “[m]ore than 60% of CISOs [Chief Information Security Officers] responding said that they are very concerned about their IT systems experiencing a breach.” In contrast, “only 15 percent of CEOs felt the same way.”
CISOs and CEOs also disagreed on the greatest security threat to their companies. The CISOs cited lack of employee education and diligence as their primary concerns. The CEOs, however, believed that external phishing attacks were the largest threat to the organization.
What explains this divide? 65% of CEO’s admitted that they do not have sufficient data to interpret how security threats translate to overall business risk. Indeed, more than 36% of CEOs said that their CISOs never report to them on the state of IT infrastructure security. In other words, there is a breakdown in communication. Also, the study found that “[s]ecurity protection is seen as an expense, not something that can save your business from being hijacked, extremely embarrassed or devalued.”
So what is the takeaway? First, it seems that more communication is needed between the C-Suite and the IT-Suite. Also, security as an issue needs to be taken more seriously by the upper echelon of management. As the study recommends, “[o]rganizations need to take a proactive, intelligence-based approach to security.” The CORE Security study is a very quick, interesting read, and highlights how important communication is one of the best information security safeguards.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.