Connect with us

Hi, what are you looking for?


Management & Strategy

Lack of Senior Management Involvement Challenges SMB Security

Uncertainty is not the word organizations want associated with their IT security posture, but in many cases, the shoe seems to fit, a new study has found.

Uncertainty is not the word organizations want associated with their IT security posture, but in many cases, the shoe seems to fit, a new study has found.

According to a survey of 2,000 IT security professionals at small to midsized businesses by the Ponemon Institute, one-third of respondents admitted they are not certain if a cyber attack has occurred in the past 12 months.  

Part of this may be due to a weak approach to security by CISOs and senior management. Fifty-eight percent said that management does not see cyber attacks as a significant risk to their business, and 44 percent said a strong security posture is not a priority. In addition, while 32 percent say the CIO is responsible for setting priorities, 31 percent say no one person is responsible.

“Only 11 percent of respondents say the CISO is responsible for setting IT security priorities,” Dr. Larry Ponemon, founder of the institute, told SecurityWeek. “In contrast, the CIO received 32 percent of the vote, followed by no one function at [31 percent]. It’s my opinion that the CISO is most likely to understand the real security concerns of the organization and is in the best position to set priorities for IT security.”

Advertisement. Scroll to continue reading.

Other studies by Ponemon have indicated that a good incident response plan and strong leadership from the CISO can reduce the cost of a data breach significantly. The lack of senior management involvement in cyber security among those in the survey may account for a lack of resources being allocated to security challenges. According to the survey, 42 percent said their budget is not adequate for achieving an effective security posture. Organizations were also challenged by the fact that only 26 percent of respondents said they had enough security expertise in-house to handle security.

“In our experience, smaller-sized organizations lack the resources to fully detect cyber attacks,” Ponemon said. “This weakness can be overcome with a combination of expert personnel and enabling security technologies. On a positive note, managed security solutions and cloud-based security technologies make it economically feasible for SMBs.”

Interestingly, while many respondents expressed uncertainty about detecting cyber-attacks, data breaches are uncovered more readily. Some of that is because many data breaches are due to lost or stolen devices as opposed to stealthy cyber-attacks, but the reason actually goes deeper, opined Chet Wisniewski, whose firm, Sophos, sponsored the study.

“If information is stolen there are usually repercussions,” said Wisniewski, senior security advisor at Sophos. “Credit card companies identify you as the source of the stolen card data, criminals post your information online, [and] others may even hold your data for ransom.  The attacks themselves are silent, but deadly.  Detecting attacks in progress requires a coordinated effort and the ability to know that something that isn’t normal is happening.  Of course, most organizations don’t know what normal is, making it rather difficult to detect anomalies.”

Related Insight: The New Language Of A Highly Effective Cybersecurity Leader

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.