And 61 percent of global IT security pros think their CEOs don’t know enough about cyber security, a recent survey found.
A survey of 304 global IT security professionals has found that one third of CEOs and 43 percent of management teams are not regularly briefed on cyber security issues.
The survey, conducted by Dimensional Research and sponsored by CyberArk, also found that 61 percent believe their CEOs don’t know enough about cyber security, and 69 percent say cyber security issues are too technical for their CEO.
Additionally, 53 percent of respondents think their CEOs make business decisions without regard to security, and 44 percent believe that their CEOs simply don’t grasp the severity of today’s cyber security risks.
“Increasingly, it’s CEOs who own the security agenda — whether they want to or not,” CyberArk chief marketing officer John Worrall said in a statement.
“By providing greater visibility into how cyber security programs are performing, and regularly communicating needs around budget and skills, IT security professionals will gain the support of the executive team and in turn help their organization become more proactive in protecting against advanced threats,” Worrall added.
Executive visibility into security program effectiveness varies by industry, the survey found, with 72 percent of respondents in financial services and 70 percent in healthcare saying they regularly provide their executive teams with reports and metrics, but 50 percent of respondents in manufacturing, 50 percent in hospitality, 44 percent in transportation and 27 percent in education saying the same.
Sixty percent of respondents believe their organization is vulnerable to a data breach.
Seventy-five percent of respondents cited budget issues as the primary barrier to improving cyber security, followed by lack of expertise (52 percent) and ineffective security tools and solutions (34 percent).
And while 79 percent of respondents say they report on compliance metrics to demonstrate security program effectiveness, 59 percent say threat detection metrics are more important.
“Compliance does not equal security, ” Worrall said. “It can lull a CEO into a state of complacency because all it demonstrates is a simple checking of a box without context for responsible levels of information protection.”
“Security professionals are briefing executives on the wrong information,” Worrall added. “They need to arm their CEOs and executive teams with information that matters, such [as] threat detection and risk metrics versus compliance and system availability.”