Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Survey Highlights Communications Gap Between Security Pros and Senior Execs

In any relationship, good communication is key, especially in the world of enterprise IT.

In any relationship, good communication is key, especially in the world of enterprise IT.

In a new study from the Ponemon Institute, a survey found that among those who rated their organizations as having a low security posture, only six percent said they had effective communication with senior executives about security issues. Forty-two percent said they didn’t. Among those who said they had a high security posture, it was the virtual opposite – 41 percent said their communication with senior executives was highly effective, just 12 percent said it wasn’t.

The study fielded responses from 597 individuals who work in IT, IT security, compliance, risk management and other related fields at Fortune 500 class organizations with 1,000 or more employees. Their answers don’t always paint the prettiest picture.

“Only 13 percent of respondents would rate the security posture of their organization as very strong,” the report noted. “Whereas, 33 percent of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.”

The reasons for the communication gap appear multifaceted. Sixty-three percent said they only communicate with senior executives when there is a security incident, and 51 percent admit to filtering out negative facts before discussing security issues with higher ups. Another common response was that communication about security issues was typically contained to one department or line of business (60 percent).

The good news is that many of these organizations recognize that metrics should be used to aid this process. However, 69 percent said that their metrics do not always align with business goals. In addition, 62 percent said their current metrics don’t provide enough information about the impact of changes. Fifty-four percent felt that metrics do not help understand the vulnerabilities to criminal attacks.

In IBM’s CISO study last year, just 12 percent said they were feeding business and security metrics into their risk process, and nearly two-thirds said they do not translate metrics into financial results. More than half reported not fully integrating security metrics with business risk measurements.

“What is most concerning is that it would seem security in many organizations is based on perception and ‘gut feel,’ versus hard data,” said Dr. Larry Ponemon, in a statement. “The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally. We also found that executive perception of security ‘strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”

Advertisement. Scroll to continue reading.

According to the Ponemon report, some of the metrics that matter and can be measured include: assessment of an organization’s vulnerability to attacks, an assessment of the impact of disruptive technologies on the organization’s security posture, an assessment of technologies used to manage change to the security function and an assessment of risks caused by the migration to the cloud and changes in the mobile platform.

“The biggest issue is that IT security teams are flying blind,” said Jody Brazil, president and CTO of FireMon, which sponsored the study. “Networks are becoming more complex and expansive, while we freeze or reduce the resources tasked with managing them. The fact that the study shows 60 percent performing manual auditing or none at all is alarming. In a threat environment that is ‘always on’ and aggressive, teams must have the ability to automate and continuously monitor and assess dynamic network environments, and be equipped with proactive tools to provide predictive and prioritized intelligence on an ever-shifting risk profile.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem