As the reality of cyber threats and data breaches becomes closer to normal life for private and public sector organizations, a Nominet report finds that while executives know cyber risks are high, they still lack resources and accountability for handling breaches and information security.
The report – which surveyed 400 executives leading organizations of at least 8,000 employees – showed that 33 and 28 percent of business leaders thought cyber threats were very high, and high risks to their organizations, respectively. It also found that 90 percent felt they lacked at least one resources they needed to defend against cyberattacks – the most common missing resource being advanced technology.
Other problems underlie C-level leaders’ concerns about their organizations’ cybersecurity. 46 percent said they lack senior management acceptance of advice, 41 percent pointed to budget shortfalls in cyber, and 41 percent said personnel resources were a factor.
Despite respondents’ acknowledgement of cybersecurity risks and program shortfalls, the report showed that organizations have a scattered sense of responsibility over information security oversight. 34 percent of respondents, for instance, said CEOs were responsible for information security, while 32, 19, and 10 percent said Chief Information Security Officers (CISOs), CIOs, and Chief Technology Officers (CTOs) were responsible, respectively.
The blurred lines of executive accountability largely stem from executive ignorance about cyber threats, the report said.
“The majority (71%) of the C-suite concede that they have gaps in their knowledge when it comes [to] some of the main cyber threats facing business today; the most common of which being malware (78%),” the report said. “This is alarming, given the fact that 70 percent of businesses admit to having found malware hidden on their networks for an unknown period of time – in some cases, for over a year.”
The knowledge gap between CISOs and other executives has consequences. One in three CEOs said they would terminate the contract of CISOs responsible for failing to prevent a data breach, despite 76 percent of C-level leaders saying that CISOs are must-have employees. On the other hand, 54 percent of CISOs said they received little assistance from other C-suite members in the event of a breach.
Nominet CEO Russell Haworth flagged the confusion and division of sentiment among C-level executives, and said the nature of corporate leadership attitude toward cybersecurity could compromise organizations’ overall ability to mitigate and respond to data breaches responsibly.
“Without a clear chain of command in the event of a cyberattack, the business will lack direction,” Haworth said. “It’s only natural for the CEO to want to take control, but given the apparent knowledge gaps at the top of the chain, it may be time for the CEO and the rest of the board to hand over the reins to the CISO, or equivalent senior person.”
Hawoth added that in addition to giving information security teams greater control over organizations’ security posture and financially investing in security technology, companies need to attract and retain tech staff, as well as boost executive awareness on cyber threat protocol.