No matter how many breaches we read about, how many cautions we hear, or how many reminders we get about the importance of round-the-clock diligence, cyber security continues to slip through the cracks as a business priority too often.
Too often, this chink in the armor comes down to a simple and disturbing disconnect: too many C-suite executives seem to not be getting the message that this cyber security stuff is really important.
For a dramatic illustration of this, look no further than a recent report from cloud-based security vendor ERP Maestro. The company crunched data from a May survey of America’s SAP Users’ Group, and it found that while 80% of IT security staff are either very or extremely concerned about the level of cyber security protecting their data and systems, only 25% of executive management shares that concern.
What’s more, other groups, including non-security IT management (49%), IT analysts (56%) and business analysts (50%), are twice as likely to be concerned compared with C-level executives.
Digging down deeper, ERP Maestro also found that 35% of respondents said they either don’t have or aren’t aware of a cyber security strategy. Whether a strategy exists or not, the fact that more than a third of survey respondents aren’t aware of one provides compelling evidence that somehow security is still not a high enough priority in many organizations.
A similar report from data analytics research firm GlobalData found that while increasing cyber security funding in the private sector indicates a growing appreciation of its importance, C-level executives continue to have a poor grasp of the issue.
Cyrus Mewawalla, head of thematic research at GlobalData, suggested in a press release that the risks of having leadership that aren’t probably educated about cyber security are grave.
‘‘The frequency of cyber attacks is only likely to accelerate over the coming years, therefore it is vital that senior executives have a full understanding of the inherent risks and implications,” said Mewawalla. “The losers will be those companies whose boards do not take cyber security seriously, as they run a higher risk of being hacked.”
Executives’ lack of understanding of cyber security is evident in less-direct research findings as well. For instance, a recent survey from Gemalto indicates that 68% of IT professionals believe their organizations are failing to carry out all procedures in line with data protection laws, a clear message that oversight from the C-Suite is lacking.
Elsewhere, CSO Online last year published a report called “The Current State of Cyber Crime, and among its findings was this gem: six out of 10 boards still see cyber risk as primarily an IT issue.
How much evidence do C-level executives need before they get the message? How many more companies must fall victim to breaches unnecessarily while boards look the other way, hoping that IT will not only fix the problem, but perhaps take the fall in the meantime?
Like pretty much any business problem, effective cyber security requires a combination of leadership, vision and teamwork, all of which are things the C-suite has been lacking when it comes to cyber security.
The findings from yet another recent survey suggest that one answer to that pesky little teamwork issue — namely, encouraging improved collaboration between the C-suite and CISOs — might bring needed relief.
In “Securing the Future Enterprise Today — 2018”, Accenture found that nearly three-fourths of companies have centralized cyber security teams, but that a similar portion of C-suite executives believe that cyber security staff and activities should be dispersed through all parts of a company.
In other words, maybe there’s hope.
“There is still much work to be done,” said Omar Abbosh, Accenture’s chief strategy officer, in a press release. “Cyber security strategy needs to be led by the board, executed by the C-Suite and owned at the front lines of the organization. Further, it must be infused across all aspects of a company’s processes and systems, and built into the daily work activities of employees.”
If C-suites and boards of directors can take that kind of a leadership role, and sprinkle cyber security vigilance throughout their organizations, maybe, just maybe, they can get on top of this problem.
*** This is a Security Bloggers Network syndicated blog from RSA Conference Blog authored by Tony Kontzer. Read the original post at: http://www.rsaconference.com/blogs/c-suite-cyber-security-awareness-may-be-the-key-to-taking-a-bite-out-of-breaches