A new Dimensional Research study examined corporate executives’ view of cybersecurity risks, as well as measured their confidence and preparedness in the event of a security breach. Study respondents included 200 business executives and 200 IT security professionals at U.S. companies with annual revenues of more than $5 billion.
Key findings include:
- C-level executives are less confident (68 percent) than non C-level executives (80 percent) that cybersecurity briefings presented to the board accurately represented the urgency and intensity of the cyberthreats targeting their organizations.
- C-level executives (65 percent) were less confident than non C-level executives and IT executives (87 percent and 78 percent respectively) in the accuracy of the tools their organization uses to present cybersecurity risks to the board.
- 100 percent of C-level executives and 84 percent of non C-level executives consider themselves “cybersecurity literate,” despite ongoing cyberattacks and high profile breaches.
“The lower level of confidence on the part of C-level executives reflects a sea change in the way that executives handle cybersecurity risks,” said Dwayne Melancon, CTO for Tripwire. “The reality is that an extremely secure business may not operate as well as an extremely innovative business. This means executives and boards have to collaborate on an acceptable risk threshold that may need adjustment as the business grows and changes. The good news is that this study signals that conversations are beginning to happen at all levels of the organization. This is a critical step in changing the culture of business to better manage the ongoing and rapid changes in cybersecurity risks.”
While the results of the Tripwire study indicate an increased preparedness on the part of IT professionals, they expose the uncertainty at the C-level and point toward the need to increase literacy in cybersecurity and its attendant risks in the near-term.
Competitive pressures to deploy cost-effective business technologies may affect resource investment calculations for security; these competing business pressures mean that conscientious and comprehensive oversight of cybersecurity risk at the board level is essential.
“I’m not surprised that C-level executives are less confident than their boards or IT executive staff,” said Melancon. “That lack of confidence comes, in large part, from the networking and informal benchmarking that takes place among C-level executives at the peer level. There is a lot of ‘comparing notes’ that happens between C-level peers. When this happens, you are able to get a more informed view of where you are in your overall cyber risk preparedness. This is in direct contrast to IT professionals who generally have a more insulated view of their own cyber risk, which can lead to a false sense of security. That difference in perspective – internal inputs vs. external inputs — may very well explain the confidence gap this survey highlights.”