Who’s ultimately responsible for cybersecurity? It’s a critical question; according to Bloomberg BNA, 84 percent of businesses polled have adopted some kind of cybersecurity framework, and information security is quickly becoming a high-priority boardroom topic.
But there’s a problem: A new survey found that more than 90 percent of executives can’t read a security report, CNBC reported. More worrisome? Forty percent say they “don’t feel responsible” for the repercussions of a hack. Are execs passing the buck on cybersecurity responsibility?
As noted by CNBC, many C-suite executives don’t feel prepared to handle a cyberattack but aren’t making the effort to become personally invested in the InfoSec process. Instead, they’re “handing this off to their techies, and they’re really just placing their heads in the sand right now,” said Dave Damato of security firm Tanium, whose company commissioned the recent survey along with Nasdaq.
With companies losing more than $400 billion a year to cybercrime, it’s impossible for executives to ignore the effects of bad security habits. However, since IT expertise isn’t part of the executive skill set, it’s often easier to delegate this responsibility downhill and focus on more pressing line-of-business tasks.
Opting out, however, comes with two significant risks. First is a complete absence of adequate protection. SC Magazine reported that 16 percent of all companies surveyed didn’t have any type of cybersecurity framework in place. If executives aren’t willing to invest time or money into the process, IT professionals will find other tasks to complete.
Another problem? CEOs and other high-profile executives are often on the hook as the public face of a data breach or loss. Shareholders want accountability, and “it wasn’t my job” isn’t a satisfactory answer.
Talking Up Cybersecurity Responsibility
Helping executives embrace cybersecurity responsibility requires a two-pronged approach. It starts with InfoSec professionals and CISOs improving data presentation and visualization at board meetings.
Tripwire put it simply: IT staff have trouble talking to management. This won’t be a terminal problem if they take a cue from other boardroom presenters and adopt a hits-and-highlights strategy — provide clear, actionable data without embellishment or excessive technical detail.
C-suite executives, meanwhile, need to re-evaluate their time investment since it’s not possible to pick up enough security knowledge simply by paying attention during presentations. Management must take some extracurricular initiative to learn critical IT terms, network vulnerabilities and potential repercussions.
If a breach occurs, CEOs who know exactly what happened, are part of the plan to fix the problem and who don’t pass the buck have a far better chance of keeping their title when the dust and data settles.