Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Survey Highlights Communications Gap Between Security Pros and Senior Execs

In any relationship, good communication is key, especially in the world of enterprise IT.

In any relationship, good communication is key, especially in the world of enterprise IT.

In a new study from the Ponemon Institute, a survey found that among those who rated their organizations as having a low security posture, only six percent said they had effective communication with senior executives about security issues. Forty-two percent said they didn’t. Among those who said they had a high security posture, it was the virtual opposite – 41 percent said their communication with senior executives was highly effective, just 12 percent said it wasn’t.

The study fielded responses from 597 individuals who work in IT, IT security, compliance, risk management and other related fields at Fortune 500 class organizations with 1,000 or more employees. Their answers don’t always paint the prettiest picture.

“Only 13 percent of respondents would rate the security posture of their organization as very strong,” the report noted. “Whereas, 33 percent of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.”

The reasons for the communication gap appear multifaceted. Sixty-three percent said they only communicate with senior executives when there is a security incident, and 51 percent admit to filtering out negative facts before discussing security issues with higher ups. Another common response was that communication about security issues was typically contained to one department or line of business (60 percent).

The good news is that many of these organizations recognize that metrics should be used to aid this process. However, 69 percent said that their metrics do not always align with business goals. In addition, 62 percent said their current metrics don’t provide enough information about the impact of changes. Fifty-four percent felt that metrics do not help understand the vulnerabilities to criminal attacks.

In IBM’s CISO study last year, just 12 percent said they were feeding business and security metrics into their risk process, and nearly two-thirds said they do not translate metrics into financial results. More than half reported not fully integrating security metrics with business risk measurements.

“What is most concerning is that it would seem security in many organizations is based on perception and ‘gut feel,’ versus hard data,” said Dr. Larry Ponemon, in a statement. “The stakeholders with the highest responsibility seem to be the least informed – a view that is amplified externally. We also found that executive perception of security ‘strength’ had a virtually identical percentage (63 percent) in external partners, and we know that third-party failings also had a hand in the Target breach.”

According to the Ponemon report, some of the metrics that matter and can be measured include: assessment of an organization’s vulnerability to attacks, an assessment of the impact of disruptive technologies on the organization’s security posture, an assessment of technologies used to manage change to the security function and an assessment of risks caused by the migration to the cloud and changes in the mobile platform.

“The biggest issue is that IT security teams are flying blind,” said Jody Brazil, president and CTO of FireMon, which sponsored the study. “Networks are becoming more complex and expansive, while we freeze or reduce the resources tasked with managing them. The fact that the study shows 60 percent performing manual auditing or none at all is alarming. In a threat environment that is ‘always on’ and aggressive, teams must have the ability to automate and continuously monitor and assess dynamic network environments, and be equipped with proactive tools to provide predictive and prioritized intelligence on an ever-shifting risk profile.”

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.