One-third of CEOs and 43 percent of management teams are not regularly briefed on cyber security issues, according to Dimensional Research. Additionally, while 79 percent of IT security professionals are reporting on compliance metrics to demonstrate security program effectiveness, 59 percent state that threat detection metrics are most important.
The survey shows that 60 percent of respondents believe their organization can be breached. As cyber attacks grow in aggression and impact, CEOs and boards are being held accountable for the security posture of their organization.
A closer look at the perceptions of IT security practitioners regarding executive cyber security leadership provides some clues into what’s driving a lack of alignment:
- 61 percent believe that CEOs do not know enough about cyber security
- 69 percent say cyber security is too technical for their CEO
- 53 percent think that CEOs make business decisions without regard to security
- 44 percent believe CEOs simply do not grasp the severity of today’s risks.
While IT security professionals are relying on executive-level leadership on security issues, CEOs are increasingly relying on their IT security teams to provide them with the security information that matters. The survey shows that the cyber security awareness gap may be driven in part by the need for security teams to properly educate CEOs on what’s business critical when it comes to security:
- One-third of CEOs are still not regularly briefed on cyber security issues and related business risks
- Forty-three percent of management teams do not regularly receive security status reports
- Fifty-nine percent of respondents emphasized threat detection metrics as the most effective for measuring security program effectiveness, yet 79 percent still provide compliance and audit findings to their CEOs and executive teams
- Executive visibility into security program effectiveness varies by industry with the highest percentage of respondents in financial services (72 percent) and healthcare (70 percent) saying they regularly provide executives with reports and metrics.
Improving IT security fundamentals is a critical step in improving an organization’s overall security posture. The survey identified areas for improving organizational security:
- Seventy-five percent of respondents cited budgeting issues as the primary barrier to improving cyber security
- In the face of a growing cyber security skills gap, 53 percent cited the lack of expertise as a primary barrier
- Endpoint security and privileged account security were cited as the top two organizational security priorities over the coming year.