April 4, 2016 By Douglas Bonderud 2 min read

Who’s ultimately responsible for cybersecurity? It’s a critical question; according to Bloomberg BNA, 84 percent of businesses polled have adopted some kind of cybersecurity framework, and information security is quickly becoming a high-priority boardroom topic.

But there’s a problem: A new survey found that more than 90 percent of executives can’t read a security report, CNBC reported. More worrisome? Forty percent say they “don’t feel responsible” for the repercussions of a hack. Are execs passing the buck on cybersecurity responsibility?

Rolling Downhill

As noted by CNBC, many C-suite executives don’t feel prepared to handle a cyberattack but aren’t making the effort to become personally invested in the InfoSec process. Instead, they’re “handing this off to their techies, and they’re really just placing their heads in the sand right now,” said Dave Damato of security firm Tanium, whose company commissioned the recent survey along with Nasdaq.

With companies losing more than $400 billion a year to cybercrime, it’s impossible for executives to ignore the effects of bad security habits. However, since IT expertise isn’t part of the executive skill set, it’s often easier to delegate this responsibility downhill and focus on more pressing line-of-business tasks.

Opting out, however, comes with two significant risks. First is a complete absence of adequate protection. SC Magazine reported that 16 percent of all companies surveyed didn’t have any type of cybersecurity framework in place. If executives aren’t willing to invest time or money into the process, IT professionals will find other tasks to complete.

Another problem? CEOs and other high-profile executives are often on the hook as the public face of a data breach or loss. Shareholders want accountability, and “it wasn’t my job” isn’t a satisfactory answer.

Talking Up Cybersecurity Responsibility

Helping executives embrace cybersecurity responsibility requires a two-pronged approach. It starts with InfoSec professionals and CISOs improving data presentation and visualization at board meetings.

Tripwire put it simply: IT staff have trouble talking to management. This won’t be a terminal problem if they take a cue from other boardroom presenters and adopt a hits-and-highlights strategy — provide clear, actionable data without embellishment or excessive technical detail.

C-suite executives, meanwhile, need to re-evaluate their time investment since it’s not possible to pick up enough security knowledge simply by paying attention during presentations. Management must take some extracurricular initiative to learn critical IT terms, network vulnerabilities and potential repercussions.

If a breach occurs, CEOs who know exactly what happened, are part of the plan to fix the problem and who don’t pass the buck have a far better chance of keeping their title when the dust and data settles.

More from

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today