RSA 2016: Many C-Suite execs unsure of security risks

Security has long been sidelined as a business critical issue.
Security has long been sidelined as a business critical issue.

The latest study by IBM Security found that C-Suite executives not directly involved in infosec operations feel it is not necessarily something on which they need to focus, instead believing it is a problem strictly for CISOs.

Caleb Barlow, vice president for IBM Security, told SCMagazine.com at RSA 2016 that his team took a different approach with this study by only contacting C-Suite level people not directly involved in the security side of the operation in order obtain their point of view.

One of the most telling points discovered, Barlow said was that marketing, finance and human resources execs, while realising the need for security, did not believe they had a role to play.

Barlow said this disconnect was particularly worrisome as each of these departments typically has within its walls extremely sensitive personal identifiable information for both employees and clients and needs to be protected and that a closer relationship between these department heads and the CISOs is imperative.

“While CISOs and the Board can help provide the appropriate guidance and tools, CxOs in marketing, human resources, and finance, some of the most sensitive and data-heavy departments, should be more proactively involved in security decisions with the CISO,” Barlow said.

The survey also found that these executives do not know what the true threats are to their company. Seventy percent stated that rogue individuals are the primary threat, when in reality 80 percent of attacks are driven crime rings and that marketing, HR and finance departments are prime targets for these gangs.

Another potential problem uncovered were the CEOs unwillingness to share threat information with other companies.

“Over 50 percent of CEOs agree collaboration is necessary to combat cyber-crime. Ironically, only one-third of CEOs expressed willingness to share their organisation's cyber-security incident information externally, the report stated."