There is a divide between the chief executive and the chief information security officer (CISO), on how they view threats to the IT infrastructure, a new study shows.
The survey found these two executive groups remain far apart on how to best address an issue that according to analyst reports, now costs organizations more than $30 billion annually, according to CORE Security, a predictive security solution provider.
The problem further escalates via the lack of communication between the offices of the chief executive and CISO.
More than 36 percent of chief executives said the CISO never reports to them on the state of IT infrastructure security, where 27 percent say they get updates on a somewhat regular basis.
While CISOs are pointing a finger directly at the workforce as their primary concern, citing a lack of employee education and diligence represents the greatest threat to the security of the corporate IT infrastructure.
Chief executives disagreed, believing external phishing attacks represent the largest threat to the organization and the company has sufficient time and resources to adequately train and educate their employees to effectively mitigate threats.
“These results should be a wakeup call for every organization to demand better alignment between the executives charged with protecting their most vital assets. The idea that there are such disparate views on the crucial threats facing the company between two members of an executive team is discouraging to say the least,” said Patricia Foye, senior vice president of marketing at CORE Security. “CEOs need to bring their security teams into the mainstream of day-to-day operations. Security and continual risk assessment should be woven into the fabric of operational reviews and should be an agenda item at the Board of Director level.”
With more than 60 percent of CISOs saying they fear their IT systems will experience a breach, it was somewhat surprising that only slightly more than half have ever tried to compromise their own networks to test the effectiveness of their security. In sharp contrast, only 15 percent of chief executives were very concerned about their network suffering an attack. Yet despite their confidence, 65 percent of chief executives still admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.