The survey of 100 CEOs and 100 CISOs, conducted by Research Now for CORE Security, found a huge disconnect between the two groups when it comes to corporate information security.
A full 62% of CISOs said they were worried about their IT systems getting hacked, while only 15% of CEOs were worried about such a compromise.
“The survey is highlighting a gap we’ve seen for a number of years now where it is very difficult within the senior ranks of an organization to have consistency around the communication of these threats. I think it is causing a lot of the challenges for organizations to respond to what has become a very serious threat”, said Mark Hatton, chief executive officer of CORE Security, a provider of predictive security intelligence products.
More than half of CISOs said their IT systems were “definitely” or “probably” under attack without their knowledge, while only one-quarter of CEOs expressed that concern. Only 27% of CISOs, while 61% of CEOs, said their companies have enough time and resources to train and educate employees on security.
“The CEOs we surveyed are not getting the regular, consistent kinds of reports from their chief security officers about the health or risk of their IT systems like they would get about the financial systems or other systems”, Hatton told Infosecurity.
Hatton attributed the lack of regular information security briefings to the reporting structure of many organizations, where the CISO does not report directly to the CEO and the board, as well as the lack of a common language about security between the CISOs and the executive suite. “The security community tends to talk in technical terms, and the CEOs are thinking in business terms….This lack of communication is preventing CEOs from being proactive about security risks”, he said.
CISOs are being asked to assess and manage risk, in addition to their role of defending IT assets. “They are being asked to put themselves in situations where they have to assess the risk a security incident might uncover. That is getting much more predictive”, Hatton said.
The CORE Security chief said that CISOs and their security teams should be more predictive about information security risks, should use a common risk framework to communicate that risk to the executive suite, and should be briefing top management on a regular basis.
“Security has become so diverse and there are so many systems generating so much data that you really need to put a front-end to it. You need to add a layer of consistent reporting from various security systems so that a CEO or CFO can look at a security report and be able to understand it….And the organization needs to elevate the role of the chief security officer. If they are going to be asked to manage risk, they need to have direct line into that board room”, Hatton stressed.