Security Experts:

Many CEOs and CISOs Not Communicating on Security, Survey Finds

If security is only a strong as the weakest link in the chain, the part of the chain linking the office of the chief executive officer to the chief information security officer appears to have a gap in it.

This is according to new research from CORE Security. In a survey of 100 CEOs and 100 CISOs, the company found that 36 percent of the CEOs said the CISO never reports to them on the state of IT infrastructure security. Some 27 percent said they receive updates on a somewhat regular basis.

"CEOs are looking at the issue of security in business terms while the Chief Security Officer is looking at it in technical terms," Mark Hatton, CEO at CORE Security, told SecurityWeek. "Security protection is often viewed as an expense, not something that can save your business from being hijacked, extremely embarrassed or devalued – or even something that can get them fired.  At the same time, CISOs are often ill-equipped to explain this to their CEOs in part because they frequently don’t know themselves how to process the data that they have."

Additionally, more than 60 percent of CISOs said they were very concerned about their IT systems experiencing a breach, only 15 percent of CEOs were very concerned about their network being attacked. Sixty-five percent of CEOs confessed to not having the sufficient data needed to interpret how security threats translate to overall business risk.

“These results should be a wakeup call for every organization to demand better alignment between the executives charged with protecting their most vital assets," said Patricia Foye, senior vice president of marketing at CORE Security, in a statement. "The idea that there are such disparate views on the crucial threats facing the company between two members of an executive team is discouraging to say the least. CEOs need to bring their security teams into the mainstream of day-to-day operations. Security and continual risk assessment should be woven into the fabric of operational reviews and should be an agenda item at the Board of Director level.”

Subscribe to the SecurityWeek Email Briefing
view counter