C-level executives need to increase literacy in cyber security and its associated risks, a study has revealed.
In a poll of 400 business executives and IT security professionals at Fortune 500 companies, only 68% of execs said they were confident that cyber security briefings to the board represent the urgency and intensity of cyber threats targeting their organisations, compared with 80% of IT pros.
According to The Cyber Security Literacy Confidence Gap study, C-level executives (65%) are also less confident than non C-level executives (87%) and IT executives (78%) in the accuracy of the tools their organisation uses to present cyber security risks to the board.
Despite this lack of confidence, 100% of C-level executives and 84% of non C-level executives consider themselves “cyber security literate”, despite ongoing cyber attacks and high-profile breaches.
“The lower level of confidence on the part of C-level executives reflects a sea change in the way that executives handle cyber security risks,” said Dwayne Melancon, chief technology officer for security firm Tripwire, which commissioned the study.
“The reality is that an extremely secure business may not operate as well as an extremely innovative business,” he said.
Read more about cybe
- Many UK non-IT business executives still do not understand the risk associated with data
- Selling security strategies to C-levels isn't always an easy task
- Only 8% of IT professionals in the energy sector are concerned about cyber criminals attacking industrial controllers
- Low infosec awareness among C-level execs can hurt security funding
According to Melancon, this means executives and boards have to collaborate on an acceptable risk threshold that may need adjustment as the business grows and changes.
“The good news is that this study signals that conversations are beginning to happen at all levels of the organisation. This is a critical step in changing the culture of business to better manage the ongoing and rapid changes in cyber security risks,” he said.
While the results of the study indicate an increased preparedness on the part of IT professionals, Melancon believes they expose the uncertainty at the C-level and point to the need to increase literacy in cyber security and its attendant risks in the near-term.
“I think these results are indicative of the growing awareness that the risks connected with cyber security are business-critical, but it would appear the executives either don’t understand how much they have to learn about cyber security, or they don’t want to admit that they that they don’t understand the business impact of these risks,” he said.
According to the study, competitive pressures to deploy cost-effective business technologies commonly affect resource investment calculations for security.
“These competing business pressures mean that conscientious and comprehensive oversight of cyber security risk at the board level is essential,” said Melancon.
However, he said he was not surprised that C-level executives are less confident than their boards or IT executive staff.
“That lack of confidence comes, in large part, from the networking and informal benchmarking that takes place among C-level executives at the peer level. There is a lot of 'comparing notes' that happens between C-level peers.
“When this happens, you are able to get a more informed view of where you are in your overall cyber risk preparedness. This is in direct contrast to IT professionals who generally have a more insulated view of their own cyber risk, which can lead to a false sense of security,” he said.
According to Melancon, that difference in perspective of internal and external inputs could explain the confidence gap highlighted by the study.