Now more than ever, it’s evident cybersecurity risk oversight at the board level is essential to keep any business or organization afloat – and off the headlines. However, despite the abundance of data breaches and high-profile cyber attacks, C-level executives still lack understanding of these cyber risks, as well as confidence in their organization’s preparedness in the event of a breach. According to a new study conducted by Dimensional Research, C-level executives at some of the largest U.S. companies unanimously declared themselves as being “cybersecurity literate.” But as Tripwire chief technology officer Dwayne Melancon explains, there’s a big difference between cybersecurity awareness and cybersecurity literacy. “If the vast majority of executives were really literate about cybersecurity risks, then spear phishing wouldn’t work,” said Melancon.
“The results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit they don’t understand the business impact of these risks.”
Additionally, the Cybersecurity Literacy Confidence Gap study, which surveyed 200 business executives and 200 IT professionals, demonstrated that IT security literacy doesn’t necessarily translate into confidence. C-level executives appeared to have less confidence (68 percent) than non C-level executives (80 percent) that cybersecurity briefings presented to the board accurately represented the urgency and intensity of the cyberthreats targeting their organizations.
Furthermore, only 65 percent of C-level executives believed their executive team has the appropriate tools to accurately present these risks to the board, as opposed to 87 percent of non C-level executives. Although there are noteworthy divergences in these statistics, Melancon points out that the lower level of confidence on the part of executives reflects a “sea change” in the way cyber risks are being handled. “The good news is these results signal that a conversation is beginning to happen at all levels of the organization,” he said. “This is a critical step in changing the culture of business to better manage rapid changes in cybersecurity risks.” Meanwhile, Tripwire’s director of IT risk and strategy Tim Erlin says the difference in confidence between C-level executives and IT professionals is surprising. Studies often show IT executives – who deal directly with risks and vulnerabilities in real-time – are less confident in their organization’s ability to withstand these potential threats. “This survey found the opposite, and while the results point towards increased preparedness on the part of IT professionals, the low levels of C-level confidence points towards the need to increase board and C-level executive cybersecurity,” said Erlin. However, a separate study may give some insight into another reason for their lack of confidence. A survey of 250 attendees of the RSA and BSides SF conferences held last month revealed that information security professionals believe C-level executives would and should be held responsible when a data breach occurs:
- 41 percent of respondents believe CIOs, CISOs or CSOs would be to blame,
- 18 percent of respondents believe the CEO should be held responsible, and only
- 10 percent of respondents believe the company board should be held accountable.
“Cybersecurity liability is difficult to assign because you have to determine who knew about the risks,” said Tripwire’s senior security analyst Ken Westin. “Then you have to figure out what they did, or did not do about them.” Westin believes CEOs could own some of the responsibility if they were made aware of security risks and did not provide the resources or plans to fix them.
“On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of responsibility falls on her or him.”
Nonetheless, Westin stresses that cybersecurity is a team sport that requires active support across the organization and from all levels of the executive team.
