Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Kicking Some Brass

Why isn't top brass more supportive of the security team? A new report identifies the problems - and what you can do about them

Do you ever wonder what the heck is wrong with top management? Why don't they see risks associated with IT security breaches? Why don't they help you do something about it?

The U.S. Department of Homeland Security has been asking some of the same questions. So it asked The Conference Board -- the same people who develop the Consumer Confidence Index and Leading Economic Indicators -- to find out. Yesterday, The Conference Board published the results of the study.

Most C-level executives still view security as an operational issue, not a strategic issue, according to "Navigating Risk: The Business Case for Security." The study, which researched the attitudes of some 213 top-level corporate, non-security executives, found that most security organizations are still operating in silos that are far removed from their highest-ranking decision makers.

Despite frequent news about security breaches, most C-level executives report that they still have little direct responsibility for most aspects of security. And the few executives who do understand the issues often do not have the influence needed to do something about it.

"In general, the executives who were most supportive of security were not the most influential, and the most influential executives were not the most supportive," says Thomas Cavanagh, senior research associate at The Conference Board, who authored the report. "A lot of organizations still treat security as an operations issue, on the same level with facilities management, and most C-level executives are mainly focused on more strategic issues."

Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. "Security directors appear to be politically isolated within their companies," Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don't have many allies in getting their message across to upper management.

A key problem, Cavanagh says, is most security managers don't know how to map their priorities to business objectives, and most top managers don't understand how security fits into their business objectives.

For example, when asked how well their company's security was aligned with business goals, 79 percent of high-ranking executives said the most effective alignment was in complying with government regulations (79 percent), protecting confidential information (74 percent), and maintaining business continuity (71 percent). Only 44 percent said security enhances the value of the brand, and only 36 percent say it helps in managing the supply chain.

"It indicates that security organizations have made their presence felt in areas like compliance, but they haven't been effective in showing how security can help build a brand by improving customer trust," Cavanagh says. "The supply chain result was a little surprising, when most executives know that their security perimeters are expanding to include partners."

Security managers need to reach out more aggressively to other areas of the business to help them make their case, Cavanagh says. "Risk managers are among the best potential allies," he observes, because they are usually tasked with measuring the financial impact of various threats and correlating them with the likelihood that those threats will happen.

"That can be tricky, because most risk managers come from a financial background, and they don't speak the same language as the security people," Cavanagh notes. "It's also difficult because security presents some unusual risk scenarios. There are some franchise events that could destroy the company's business, but have a very low likelihood of occurrence, so it's very hard to gauge the risk."

Getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort, Cavanagh says. In the study, The Conference Board found that the cost of business interruption was the most helpful metric, cited by almost 64 percent of respondents. That metric was followed by vulnerability assessments (60 percent), benchmarks against industry standards (49 percent), the value of the facilities (43.5 percent), and the level of insurance premiums (39 percent).

Face time is another important way to gain attention in mahogany row, the report says. In industries where there are critical infrastructure issues, such as financial services, about 66 percent of top executives meet at least once a month with their security director, according to the study. That figure dropped to around 44 percent in industries without critical infrastructure issues.

In general, however, security managers are finding that they must build a coalition of supporters within the management team. "Part of the job description of the security director is to serve as a chief lobbyist, rounding up support from other colleagues who may have more leverage in the C-suite," Cavanagh says.

The report is available here. It costs $125 for Conference Board associates; $495 for non-associates.

Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-28
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
PUBLISHED: 2021-01-28
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.