Security weaknesses often start at the top of organizations. According to Code42’s “CTRL-Z Study 2017,” 75 percent of CEOs and more than half of other top executives admitted that they use applications that are not approved by their IT department. This could be due to lack of engagement between the security team and the C-suite, management’s stubbornness and aversion to change (such as that one CEO I knew who used a go-to password for more than three decades and refused to change it), or poor security awareness among top executives. Furthermore, 91 percent of CEOs acknowledged that their behaviors put their organizations at risk.

Communicating Risks in the Language of Money

This is, frankly, disturbing. So many executives prioritize productivity over data security that it is a wonder more enterprises aren’t breached. To illustrate the problem, Barracuda detailed four major phishing campaigns that impersonated the CEO’s or CFO’s address to extort funds from enterprises. These attacks were widely successful, netting tens of millions of dollars in wire transfers that employees executed, ignorant to the fact that they were moving money into criminal accounts.

CEOs often lack security awareness because IT teams don’t properly communicate risks to top management. Security professionals often talk techie and fail to articulate the business benefits and risks of particular practices. They need to improve their communication by using the language that the CEO understands: money. Instead of reporting to your board of directors how many malware attacks your fancy technologies have blocked or how well your firewall is working, talk about how the failure of security can affect your bottom line.

Security consultant David Froud said he is surprised that many CISOs still have a job when they don’t understand the language of money. “The vast majority of board members care nothing for the security details, and frankly, nor should they,” he wrote.

Lead By Example to Boost CEO Security Awareness

Another problem is that many security managers don’t practice what they preach, which can quickly turn off their executive peers. There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it.

Clearly, we still have a long way to go to bolster security awareness among CEOs. Convincing them to follow simple security best practices, such as changing their passwords or using a password manager or single sign-on tool, could be an important first step.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…