In many organizations today, keeping pace with the rate of emerging cyber-threats is placing a tremendous strain on IT security teams. They must keep one step ahead of motivated and sophisticated attackers, while communicating the risks and necessary response to executive leadership.
Indeed, as cyber-attacks continue to grow in aggression and impact, CEOs and boards are increasingly being held accountable, often publically, for the security posture of their organisation. However, our own research has found that while 60% of respondents believe their organisation could be breached, one third of CEOs and 43% of management teams are still not regularly briefed on cybersecurity issues and the related business risks. This gap between awareness and effective security programmes can leave many organizations vulnerable to attack.
The cyber-skills gap
Our research conducted with IT security professionals revealed a widespread belief that C-Level executives do not know enough about cybersecurity, with 69% of respondents stating that it’s simply too technical for their CEO. Indeed, when asked about the barriers to improving organisational security, more than half cited the lack of cyber-expertise as their primary challenge, while many more viewed budgetary constraints as their number one barrier to implementing cybersecurity enhancements.
The fact of the matter is that non-technical executives are often in control of the purse strings, it is therefore vital that IT security professionals work to ensure that their leadership team fully understand the evolving threats facing their business and that appropriate resources are allocated to implementing a multi-layered and effective security strategy – a far more cost-effective strategy than remaining an easy target for an attacker.
Know your audience
While IT security professionals are relying on executive level leadership to improve security, CEOs are equally dependent on their IT security teams to equip them with the information that matters. The cybersecurity awareness gap is arguably exacerbated by security teams failing to properly educate CEOs on what is business critical when it comes to security.
Security professionals must ensure they are briefing executives on the right data, arming them with information such as threat detection and risk metrics versus compliance and system availability. When it comes to liaising with executives with limited understanding of cybersecurity, taking the time to explain common attack methods and instances where security failings have contributed to an attack on a high-profile company will help to provide context and strengthen a call to action.
As an example, almost all data breaches that have been reported in recent years have involved the compromise of credentials. However, many organizations still place too much focus on perimeter security, and there is a common misconception that having this in place makes them secure.
IT professionals must therefore be communicating risk based on facts. For example, in relation to credential misuse there are a few simple questions that should be addressed at the outset:
- How many potential breach points does the organisation have?
- How many are proactively managed?
- How many reside on critical business systems?
- How many third parties have access to them?
These are all critical pieces of factual information that can be used to articulate the risk and define funding requirements for mitigation strategies with executives.
Compliance: A false sense of security?
Our research has also revealed that 79% of respondents use compliance metrics to demonstrate the effectiveness of their security programmes to senior management. I would discourage companies from an over reliance on compliance. Compliance does not equal security and a tick box approach can lull a CEO into a false sense of complacency.
IT security professionals are facing greater challenges than ever before and should be providing greater visibility into how cybersecurity programmes are performing, regularly communicating needs around budget and skills with their C-Level executives, rather than limiting their focus to audits.
Increasingly, CEOs and executive teams own the security agenda, whether willingly or not, and ignorance will neither be bliss nor an excuse in the event of an attack. By providing greater visibility into how cybersecurity programmes are performing and regularly and more effectively communicating needs around budget and skills, IT security professionals will gain the support of the leadership team and in turn help their organisation become more proactive in protecting against advanced threats.