Light Dark
September 8, 2017 By David Strom 2 min read
CISO
Risk Management

Security weaknesses often start at the top of organizations. According to Code42’s “CTRL-Z Study 2017,” 75 percent of CEOs and more than half of other top executives admitted that they use applications that are not approved by their IT department. This could be due to lack of engagement between the security team and the C-suite, management’s stubbornness and aversion to change (such as that one CEO I knew who used a go-to password for more than three decades and refused to change it), or poor security awareness among top executives. Furthermore, 91 percent of CEOs acknowledged that their behaviors put their organizations at risk.

Communicating Risks in the Language of Money

This is, frankly, disturbing. So many executives prioritize productivity over data security that it is a wonder more enterprises aren’t breached. To illustrate the problem, Barracuda detailed four major phishing campaigns that impersonated the CEO’s or CFO’s address to extort funds from enterprises. These attacks were widely successful, netting tens of millions of dollars in wire transfers that employees executed, ignorant to the fact that they were moving money into criminal accounts.

Related: A CISO’s Guide to Obtaining Budget: Know Your Audience

CEOs often lack security awareness because IT teams don’t properly communicate risks to top management. Security professionals often talk techie and fail to articulate the business benefits and risks of particular practices. They need to improve their communication by using the language that the CEO understands: money. Instead of reporting to your board of directors how many malware attacks your fancy technologies have blocked or how well your firewall is working, talk about how the failure of security can affect your bottom line.

Security consultant David Froud said he is surprised that many CISOs still have a job when they don’t understand the language of money. “The vast majority of board members care nothing for the security details, and frankly, nor should they,” he wrote.

Lead By Example to Boost CEO Security Awareness

Another problem is that many security managers don’t practice what they preach, which can quickly turn off their executive peers. There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it.

Clearly, we still have a long way to go to bolster security awareness among CEOs. Convincing them to follow simple security best practices, such as changing their passwords or using a password manager or single sign-on tool, could be an important first step.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

 |  |  |  |  |  | 
David Strom
Security Evangelist

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature