Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

The Accountability Gap: Getting Business to Understand Security

A new survey and report from Tanium and NASDAQ, using a research team from Goldsmiths, University of London, seeks to quantify organizations’ cyber security vulnerability.

A new survey and report from Tanium and NASDAQ, using a research team from Goldsmiths, University of London, seeks to quantify organizations’ cyber security vulnerability.

The resarch was done by first defining seven inherent challenges and then surveying 1,530 non-executive directors (NEDs), CISOs and CIOs from the US, UK, Germany, the Nordic countries, and Japan. The seven categories that comprise cybersecurity vulnerability are cyber literacy, risk appetite, threat intelligence, legislation & regulation, network resilience, response, and behavior.

The bottom-line conclusions from the response analysis will surprise no-one involved in cyber security – only 10% of respondents have a low level of vulnerability. The vast majority of organizations (80%) are deemed to have “a medium level of vulnerability.”

This is mirrored in the report detail. For example, only 13% of the most vulnerable NEDs are briefed regularly on cybersecurity legislation and regulation, and just 8% are regularly briefed on current threats. This compares to 100% and 96% respectively for the least vulnerable. There is a close correlation between poor information exchange between Business and Security and a poor security posture.

However, knowing there is a problem, and knowing what to do about it, are two different things.

The real difficulty is in getting Business to accept that it needs to understand Security. Writing in CityAM, Dr. Chris Brauer, director of innovation in the Institute of Management Studies at Goldsmiths, University of London, accepts the difficulty: “There is a marked hesitance to speak up among those NEDs who didn’t consider themselves knowledgeable about “cyber”. Most are not digital natives and there is a common culture of complacency – often a “leave that to the techies” spirit – and an over-reliance on specialist advice.”

Orion Hindawi, Co-founder & CEO at Tanium, agrees with this basic problem: the study found “a worrying gap between presumed and actual corporate readiness for data security incidents and a widespread lack of accountability at the top levels of organizations. That means that some of the world’s largest networks, holding some of our most precious data, are more vulnerable than their leaders believe.”

The report’s own primary conclusion is that organizations need to ‘create a culture of openness’. “Boards need to know what questions to ask in order to understand the state of cybersecurity of the business. These can be supplemented by detailed in-house or externally facilitated briefings for directors to ensure they have the skills to provide adequate oversight. Board members need to learn how to ask questions the same way they do for financial concerns and, in some cases, certain board members responsible for cyber should be given extended training.”

How to get to that culture of openness is the problem. In general, Business has no wish to understand Security, that’s what it pays CIOs and CISOs to do. CISOs know and grapple with this problem all the time and the reality is that it will most likely be solved by Security learning to speak Business, rather than Business learning to speak Security.

Related: Learn More at SecurityWeek’s CISO Forum

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.