Money Talks: Speaking the Language of Money to Boost Security Awareness Among CEOs

Security weaknesses often start at the top of organizations. According to Code42’s “CTRL-Z Study 2017,” 75 percent of CEOs and more than half of other top executives admitted that they use applications that are not approved by their IT department. This could be due to lack of engagement between the security team and the C-suite, management’s stubbornness and aversion to change (such as that one CEO I knew who used a go-to password for more than three decades and refused to change it), or poor security awareness among top executives. Furthermore, 91 percent of CEOs acknowledged that their behaviors put their organizations at risk.

Communicating Risks in the Language of Money

This is, frankly, disturbing. So many executives prioritize productivity over data security that it is a wonder more enterprises aren’t breached. To illustrate the problem, Barracuda detailed four major phishing campaigns that impersonated the CEO’s or CFO’s address to extort funds from enterprises. These attacks were widely successful, netting tens of millions of dollars in wire transfers that employees executed, ignorant to the fact that they were moving money into criminal accounts.

CEOs often lack security awareness because IT teams don’t properly communicate risks to top management. Security professionals often talk techie and fail to articulate the business benefits and risks of particular practices. They need to improve their communication by using the language that the CEO understands: money. Instead of reporting to your board of directors how many malware attacks your fancy technologies have blocked or how well your firewall is working, talk about how the failure of security can affect your bottom line.

Security consultant David Froud said he is surprised that many CISOs still have a job when they don’t understand the language of money. “The vast majority of board members care nothing for the security details, and frankly, nor should they,” he wrote.

Lead By Example to Boost CEO Security Awareness

Another problem is that many security managers don’t practice what they preach, which can quickly turn off their executive peers. There is no point in having a complex multifactor authentication system, for example, if only a portion of the staff uses it.

Clearly, we still have a long way to go to bolster security awareness among CEOs. Convincing them to follow simple security best practices, such as changing their passwords or using a password manager or single sign-on tool, could be an important first step.

Listen to the six-part podcast series: A CISO’s Guide to Obtaining Budget

Share this Article:
David Strom

Security Evangelist

David is an award-winning writer, speaker, editor, video blogger, and online communications professional who also advises numerous startup and well-established technology ventures. He began his career as an in-house IT analyst and has founded numerous technology print and online publications, such as editor-in-chief of Network Computing magazine and as part of the launch team of PC Week's Connectivity section. David has written two books and spoken around the world at various conferences and been on national radio and television talking about network technologies. He continues to build websites and publish articles on a wide variety of technology topics geared towards networking, security, channel, PC enthusiasts, OEMs, and consumers. In addition to these activities, he consults to vendors and evaluates emerging technologies, products, strategies, and trends to help position and improve their technology products.