When it comes to cyber security, most CEOs don’t get it. That was the conclusion of a recent survey of IT security professionals on the state of their companies’ defenses against data leaks or malicious attacks.
The survey, sponsored by Websense and conducted by the Ponemon Institute, exposes the lack of communication between IT and upper management about the importance of cyber security and the damage a data breach can do to a company’s public image and bottom line.
More than half of security professionals believe that their organizations’ security controls don’t provide adequate protection against advanced cyber attacks, according to more than 5,000 IT professionals from 15 countries including the U.S. The same portion of IT professionals said that executives fail to appreciate the value of putting effective security controls in place, and do not equate a data breach with financial loss. This echoes a similar study conducted last year, also by the Ponemon Institute, which concluded that a majority of IT professionals fail to communicate security risks effectively to upper management.
It’s time for a wakeup call. As the size and cost of data breaches continue to mount, CEOs must recognize the importance of protecting their companies’ sensitive data. In this modern era, all enterprises are involved in handling valuable information. There is simply no room for lax practices, a concept that should be understood at all levels and not just among rank-and-file IT workers.
These reports show that along with managing and developing defenses against emerging security threats, IT security professionals also need to focus on informing upper management about the seriousness of security threats and convincing them to allocate adequate resources to protect against data breaches.
The high cost of low security. Financial repercussions of a data breach are huge -- an average of $5.4 million per organization, according to the 2014 Websense-Ponemon report. Last year, we witnessed massive data breaches that took place due to malicious programs such as the RAM Scraper malware and Ransomware.
The Target breach that affected millions of customers was the result of malware accessing point of sale terminals within the company’s retail facilities. Target suffered a huge loss as a result of the data breach -- possibly as much as $1 billion.
CEOs and CIOs ultimately bear the responsibility of data breaches, which means there should be major incentives for everyone to help create better communication channels and work together to ensure implementation of strong security policies and practices within the organization.
Senior managers tend to view IT security as a luxury, not a necessity, and often fail to account for the financial implications of a data breach. In the midst of developing new products and services, security takes a backseat, as adding additional layers of security controls can impact time to market and potentially create a less-than-optimal user experience.
A stitch in time saves nine. While executives may view the longer product development cycles and additional security protocols as a drain on productivity, studies show that productivity costs are much greater for companies that fail to implement adequate security practices in advance.
Related: Cyber Safeguard Faces Big Hurdle
According to a study sponsored by HP Enterprise Security, 30 percent of the cost of a data breach was due to business disruption or lost productivity. The study found that companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. The cost savings for companies deploying proper security governance practices is estimated at more than $1 million on average, according to the study.
So why are so few companies putting adequate focus on security and protecting sensitive data? Less than a third of companies have a crisis-containment plan in place for security breaches and failures, according to a report sponsored by IBM. The problem, we believe, lies in IT professionals not communicating the real costs and benefits of a comprehensive security strategy.
How to tell your boss to boost security protocols. To see how the communication between IT professionals and executives can be improved, it helps to take a look at the 2014 Websense-Ponemon report. The report found several key reasons why communication between executives and IT is so ineffective:
- Communication stays within silos instead of spreading across the company.
- Security talks occur at a low level, and are rarely brought to executives attention.
- Security professionals warnings are too technical in nature, and don’t translate the threats into easy-to-understand language.
- Criticisms of existing practices are often filtered out before being presented to management.
Security pros can effectively tackle these issues by taking the following actions:
- Ensure that cross-functional teams are allowed to communicate risks effectively, and that awareness of these risks spread beyond the walls of the IT department. People in engineering, sales and marketing also need to be aware of security risks.
- IT professionals must turn technical details of security risks into information that can be easily comprehended and digested by upper management.
- Finally, it is the responsibility of the CIO or top IT executive to address these issues directly with the CEO and executive team. This way, the issues are brought directly to their attention, and facts are not filtered out by intermediate players.
As more data moves into the cloud and across other devices, companies face a greater risk of losing sensitive information to attackers or unauthorized users. Ultimately, organizations that invest in more robust data protection face lower costs in the long run. That’s the message that executives need to hear.