We can work it out

new study published by BAE Systems highlights the disconnect between C-level executives and IT Decision Makers when it comes to perceptions of cybersecurity within the enterprise. The report, based on survey data from 221 C-level executives and 984 IT Decision Makers across the globe, compares the two groups’ concerns about cyber attacks, their companies’ capabilities in handling threats, and what is required to defend the enterprise more effectively.  

Promisingly, 71% of the C-suite said that cybersecurity is the top challenge facing their business today.

Source: BAE Cyber Defense Monitor 2017

“Promising” might seem an odd word to use in this context, but this data indicates that executives realize the fundamental importance of attending to cybersecurity challenges in the same way as they do market competition and external pressures, the impact of new technology on business growth, and compliance matters. For years security practitioners have had to fight for the proverbial “seat at the table.” We’re now seeing that security is not just at the table, but in the hot seat when it comes to business impact.

Try to see it my way

In an interesting twist, however, only 46% of IT Decision Makers view security as the biggest challenge facing the organization.

Source: BAE Cyber Defense Monitor 2017

One reasonable explanation for the disparity as it relates to overall business challenges is that security practitioners may have significantly more confidence in the team’s ability to deal with cyber attacks than their C-level colleagues. Practitioners understand the scope of threats facing the organization, what’s impacting/what may impact the organization directly, internal technology capabilities and pitfalls, and team member skill sets. Sitting in the seat of the security practitioner provides a different view of what’s possible—both in terms of identifying and handling a security event—whereas CEOs, CFOs, and other executives are not scrutinizing specific capabilities of the security team, but are influenced by the overviews/highlights/monthly reports they are presented, as well as by what they are hearing broadly in the marketplace.

Without detailed insight, and in light of the severity of cybersecurity problems worldwide, executives may be less convinced of security’s efficacy, and thus view cybersecurity as a greater business challenge than those who manage the details daily. In addition, as we will see later, confidence may also be affected by how each team views the security function—as either strategic or tactical.

Do I have to keep on talking ‘till I can’t go on?

Despite significantly larger concern about cybersecurity’s impact on the business, the C-suite reports greater confidence in the business’s ability to handle growing threats. Twenty-seven percent of executives are “very confident” that their organizations are “equipped to prevent a cyber attack” versus 20% of IT Decision Makers. On the other hand, 61% of IT Decision Makers are “fairly confident” about being able to prevent cyber attacks compared to 55% of executives.

 


The discrepancy may be in the wording used in the study; security practitioners are generally tempered about how realistic it is to prevent cyber attacks altogether. Practitioners are inclined to view the security program under the lens of “prevent, detect, mitigate, restore,” leaving added grey area when it comes to labeling how the organization manages attacks. 

Looking at the larger picture, though, it is clear that both IT Decision Makers and executives are generally positive about their security programs’ abilities.

While you see it your way

Where things become less harmonious is around the perceptions of what cybersecurity means to the business in terms of risk. When asked how budgets, time, and resources are allocated, 47% of executives said “To respond to new or increased cyber threats,” and 42% said “To plug gaps in our existing IT infrastructure or security platforms,” both very tactical measures. In comparison, half of IT Decision Makers worldwide said effort, money, and staffing were spent “To minimize IT security risk.” According to this data, security teams appear to view their efforts as more strategic than senior management does. In the U.S., executives were even less convinced (compared to the global average) of security’s strategic contribution; only 22% of the U.S. C-suite responded that additional funding is spent on minimizing risk.

Run the risk of knowing that our love may soon be gone

As such, security and IT teams need to do a better job communicating risk to other areas of the business. Security ultimately is—or should be—a risk discipline; the job is to ensure confidentiality, integrity, and availability of systems and data so the business can run smoothly. If executives are not yet able to see how this is a strategic function of the business, security should put more effort towards translating achievements into the terms senior management can use when making risk decisions.

Security may already be a top business concern and a major media headline, but the industry has not yet figured out how to be a strategic partner to the business. Even if security is in actuality helping the organization run with fewer disruptions and less loss, the results of the BAE study show that the C-suite is not entirely convinced. While executives report confidence in enterprise capabilities, that confidence is at an operational level (which is still very valuable, needless to say). At the end of the day, however, if security hopes to increase influence and gain both more respect and budget (which will help operationally), security and IT decision makers need to get to work crafting the risk story and take the focus off of mega breaches, sophisticated cyber criminals, and other pernicious flavors of FUD.



Click here for more information on our InfoSec World Conference & Expo in Orlando.