April 4, 2016 By Douglas Bonderud 2 min read

Who’s ultimately responsible for cybersecurity? It’s a critical question; according to Bloomberg BNA, 84 percent of businesses polled have adopted some kind of cybersecurity framework, and information security is quickly becoming a high-priority boardroom topic.

But there’s a problem: A new survey found that more than 90 percent of executives can’t read a security report, CNBC reported. More worrisome? Forty percent say they “don’t feel responsible” for the repercussions of a hack. Are execs passing the buck on cybersecurity responsibility?

Rolling Downhill

As noted by CNBC, many C-suite executives don’t feel prepared to handle a cyberattack but aren’t making the effort to become personally invested in the InfoSec process. Instead, they’re “handing this off to their techies, and they’re really just placing their heads in the sand right now,” said Dave Damato of security firm Tanium, whose company commissioned the recent survey along with Nasdaq.

With companies losing more than $400 billion a year to cybercrime, it’s impossible for executives to ignore the effects of bad security habits. However, since IT expertise isn’t part of the executive skill set, it’s often easier to delegate this responsibility downhill and focus on more pressing line-of-business tasks.

Opting out, however, comes with two significant risks. First is a complete absence of adequate protection. SC Magazine reported that 16 percent of all companies surveyed didn’t have any type of cybersecurity framework in place. If executives aren’t willing to invest time or money into the process, IT professionals will find other tasks to complete.

Another problem? CEOs and other high-profile executives are often on the hook as the public face of a data breach or loss. Shareholders want accountability, and “it wasn’t my job” isn’t a satisfactory answer.

Talking Up Cybersecurity Responsibility

Helping executives embrace cybersecurity responsibility requires a two-pronged approach. It starts with InfoSec professionals and CISOs improving data presentation and visualization at board meetings.

Tripwire put it simply: IT staff have trouble talking to management. This won’t be a terminal problem if they take a cue from other boardroom presenters and adopt a hits-and-highlights strategy — provide clear, actionable data without embellishment or excessive technical detail.

C-suite executives, meanwhile, need to re-evaluate their time investment since it’s not possible to pick up enough security knowledge simply by paying attention during presentations. Management must take some extracurricular initiative to learn critical IT terms, network vulnerabilities and potential repercussions.

If a breach occurs, CEOs who know exactly what happened, are part of the plan to fix the problem and who don’t pass the buck have a far better chance of keeping their title when the dust and data settles.

More from

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today