Are CEOs nodding off in those security meetings?

By Bill Brenner

Core Security recently hired Research Now to poll 100 CEOs and 100 C-level security practitioners regarding the level of attention CEOs pay to threats against their companies. According to the findings Core released this morning, that level of attention isn’t much.

“The survey found that these two exec groups remain far apart (re: NOT even close) on awareness and how to best address an issue that according to analyst reports, now costs organizations more than $30 billion annually,” a company spokesman told me in an email. For example:
–More than 60 percent of CISOs responded that they are very concerned about their IT systems experiencing a breach.  
–In sharp contrast, only 15 percent of CEOs were very concerned about their network being attacked.
–While CISOs are pointing a finger directly at the workforce as their primary concern, citing that a lack of employee education and diligence represents the greatest threat to the security of the corporate IT infrastructure.  CEOs disagreed, believing that external phishing attacks represent the largest threat to the organization and that the company has sufficient time and resources to adequately train and educate their employees to effectively mitigate threats.

According to the survey report, more than 36 percent of CEOs claim the CISO never reports to them on the state of IT infrastructure security, as opposed to only 27 percent who report receiving updates on a somewhat regular basis.
“While CISOs are pointing a finger directly at the workforce as their primary concern, citing that a lack of employee education and diligence represents the greatest threat to the security of the corporate IT infrastructure, CEOs disagreed, believing that external phishing attacks represent the largest threat to the organization and that the company has sufficient time and resources to adequately train and educate their employees to effectively mitigate threats,” the report says, adding that “with more than 60 percent of CISOs responding that they are very concerned about their IT systems experiencing a breach, it was somewhat surprising that only slightly more than half have ever tried to compromise their own networks to test the effectiveness of their security.”
In sharp contrast, the report says, only 15 percent of CEOs were very concerned about their network being attacked. Yet despite their confidence, 65 percent of CEOs still admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.
Some observations:
The communication gap between security practitioners and the top brass is an old story. I’ve heard about the lack of attention CEOs pay to the security staff for years now. But in more recent years, many CSO-CISO types have told me about improvements in that line of communication. The data breach pandemic has scared many top execs into paying closer attention, they’ve told me. This latest survey appears to fly in the face of that, however.
This survey response paints an incomplete picture, in my opinion. A couple hundred people doesn’t seem like enough to capture the full reality.
But that’s just my observation. I want to hear from some of the  CSOs and CISOs reading this. My question: How are communications between you and your CEO? Are they more alert than in previous years? How often do you send them updated reports on the company’s security posture?
Don’t be shy.

Shopping Cart
Scroll to Top