Who’s ultimately responsible for cybersecurity? It’s a critical question; according to Bloomberg BNA, 84 percent of businesses polled have adopted some kind of cybersecurity framework, and information security is quickly becoming a high-priority boardroom topic.

But there’s a problem: A new survey found that more than 90 percent of executives can’t read a security report, CNBC reported. More worrisome? Forty percent say they “don’t feel responsible” for the repercussions of a hack. Are execs passing the buck on cybersecurity responsibility?

Rolling Downhill

As noted by CNBC, many C-suite executives don’t feel prepared to handle a cyberattack but aren’t making the effort to become personally invested in the InfoSec process. Instead, they’re “handing this off to their techies, and they’re really just placing their heads in the sand right now,” said Dave Damato of security firm Tanium, whose company commissioned the recent survey along with Nasdaq.

With companies losing more than $400 billion a year to cybercrime, it’s impossible for executives to ignore the effects of bad security habits. However, since IT expertise isn’t part of the executive skill set, it’s often easier to delegate this responsibility downhill and focus on more pressing line-of-business tasks.

Opting out, however, comes with two significant risks. First is a complete absence of adequate protection. SC Magazine reported that 16 percent of all companies surveyed didn’t have any type of cybersecurity framework in place. If executives aren’t willing to invest time or money into the process, IT professionals will find other tasks to complete.

Another problem? CEOs and other high-profile executives are often on the hook as the public face of a data breach or loss. Shareholders want accountability, and “it wasn’t my job” isn’t a satisfactory answer.

Talking Up Cybersecurity Responsibility

Helping executives embrace cybersecurity responsibility requires a two-pronged approach. It starts with InfoSec professionals and CISOs improving data presentation and visualization at board meetings.

Tripwire put it simply: IT staff have trouble talking to management. This won’t be a terminal problem if they take a cue from other boardroom presenters and adopt a hits-and-highlights strategy — provide clear, actionable data without embellishment or excessive technical detail.

C-suite executives, meanwhile, need to re-evaluate their time investment since it’s not possible to pick up enough security knowledge simply by paying attention during presentations. Management must take some extracurricular initiative to learn critical IT terms, network vulnerabilities and potential repercussions.

If a breach occurs, CEOs who know exactly what happened, are part of the plan to fix the problem and who don’t pass the buck have a far better chance of keeping their title when the dust and data settles.

More from

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.The…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime?Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service.What is Container Drift?When deploying an application within…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…