September 8, 2017 By David Strom 2 min read

Security weaknesses often start at the top of organizations. According to Code42’s “CTRL-Z Study 2017,” 75 percent of CEOs and more than half of other top executives admitted that they use applications that are not approved by their IT department. This could be due to lack of engagement between the security team and the C-suite, management’s stubbornness and aversion to change (such as that one CEO I knew who used a go-to password for more than three decades and refused to change it), or poor security awareness among top executives. Furthermore, 91 percent of CEOs acknowledged that their behaviors put their organizations at risk.

Communicating Risks in the Language of Money

This is, frankly, disturbing. So many executives prioritize productivity over data security that it is a wonder more enterprises aren’t breached. To illustrate the problem, Barracuda detailed four major phishing campaigns that impersonated the CEO’s or CFO’s address to extort funds from enterprises. These attacks were widely successful, netting tens of millions of dollars in wire transfers that employees executed, ignorant to the fact that they were moving money into criminal accounts.

CEOs often lack security awareness because IT teams don’t properly communicate risks to top management. Security professionals often talk techie and fail to articulate the business benefits and risks of particular practices. They need to improve their communication by using the language that the CEO understands: money. Instead of reporting to your board of directors how many malware attacks your fancy technologies have blocked or how well your firewall is working, talk about how the failure of security can affect your bottom line.

Security consultant David Froud said he is surprised that many CISOs still have a job when they don’t understand the language of money. “The vast majority of board members care nothing for the security details, and frankly, nor should they,” he wrote.

Lead By Example to Boost CEO Security Awareness

Another problem is that many security managers don’t practice what they preach, which can quickly turn off their executive peers. There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it.

Clearly, we still have a long way to go to bolster security awareness among CEOs. Convincing them to follow simple security best practices, such as changing their passwords or using a password manager or single sign-on tool, could be an important first step.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today