When it comes to corporate executives’ view of cybersecurity risks, and their confidence and preparedness in the event of a security breach, it’s well-known that a gap has persisted between perception and reality. Security staff assessments of cyber-postures have until now tended to diverge rather significantly from that of those in the C-suite (who are traditionally more optimistic), indicating a need for more communication across departments.
A study from Dimensional Research on improving the cybersecurity literacy of Fortune 500 boards and executives found that this is beginning to change. In fact, C-level executives were found to be less confident (68%) than non C-level executives (80%) that cybersecurity briefings adequately convey the urgency and intensity of the cyber-threats targeting their organizations.
They were even less confident than IT executives (78% respectively) in the accuracy of the tools their organization uses to present cybersecurity risks to the board.
Further, as a testimonial to the growing awareness of the seriousness of the cyber-attack landscape, 100% of C-level executives and 84% of non C-level executives in the survey said that they consider themselves “cybersecurity literate.”
“The lower level of confidence on the part of C-level executives reflects a change in the way that executives handle cybersecurity risks,” said Dwayne Melancon, CTO for Tripwire, which sponsored the survey. “The good news is that this study signals that conversations are beginning to happen at all levels of the organization. This is a critical step in changing the culture of business to better manage the ongoing and rapid changes in cybersecurity risks.”
While the results indicate an increased preparedness on the part of IT professionals, they also expose the uncertainty at the C-level and point toward the need to increase literacy in cybersecurity and its attendant risks in the near-term. Competitive pressures to deploy cost-effective business technologies may affect resource investment calculations for security; these competing business pressures mean that conscientious and comprehensive oversight of cybersecurity risk at the board level is essential.
“The reality is that an extremely secure business may not operate as well as an extremely innovative business,” Melancon said. “This means executives and boards have to collaborate on an acceptable risk threshold that may need adjustment as the business grows and changes.”
The lack of confidence also comes, in large part, from the networking and informal benchmarking that takes place among C-level executives at the peer level.
“There is a lot of 'comparing notes' that happens between C-level peers,” Melancon said. “When this happens, you are able to get a more informed view of where you are in your overall cyber-risk preparedness. This is in direct contrast to IT professionals, who generally have a more insulated view of their own cyber-risk, which can lead to a false sense of security.”