CEOs still don't get cyber security, study finds

News by Doug Drinkwater

A new study reveals that boardroom executives are still unaware of cyber threats, much to the chagrin of those working in information security.

In the first of a two-party study sponsored by Websense, Ponemon Institute surveyed 4,881 experienced IT and IT security practitioners across 15 countries across the world, and found that not only were C-level executives unaware of the security risks, but that infosec practitioners themselves were finding it hard to keep up with cyber-criminals.

Approximately 80 percent of respondents said that their company's leaders "do not equate losing confidential data with a potential loss of revenue", despite Ponemon indicating that the average cost of an organisational data breach is approximately £3.2 million ($5.4 million).

In addition, just under half of global respondents (52 percent in the UK) said that their board-level execs had a subpar understanding of security issues. Although this number has not been measured in previous studies, analysts believe that “cyber security awareness has most likely increased over the last few years."

Despite this, Websense EMEA strategist Neil Thacker admitted that there is work to be done in order to get C-level onside with cyber security.

"I see a lot of professionals in the dark at the moment," he said generally, an observation backed up by the report's finding that less than half (41 percent) of respondents (35 percent in the UK) believe they have a good understanding of the threat landscape.

"We need to bring them out [of the dark] so they understand what the latest threats are," he added.

On the C-level awareness, Thacker further added that the 80 percent figure is a "huge worry" not least with the EU Data Protection Regulation changes just around the corner. That said, he expects the proposed changes - which will see data breach fines of up to  5 percent of global revenues - to raise awareness.

"This will make it more of a discussion at boardroom level. Data and data losses will become a top-line level," he told

He goes onto added that it's up to CSO and CISOs to establish what is the confidential data, and the likelihood that being lost, in order to get budget and resources from the boardroom. He advises that spending goes on 'layered' security and improved threat intelligence, something he says remains an issue.

"There is a general lack of knowledge on the best place to get threat intelligence," he said while noting that researchers at Websense - as well as ENISA (where he is a member) have noted "some improvement" in this area. The Ponemon study finds that over half of respondents (59 percent worldwide, 58 percent UK) do not have adequate intelligence and, perhaps as a result, are unsure about attempted attacks.

SIEM solutions are however not the way forward, according to Thacker, who adds that most businesses are ‘struggling' to find its value on a return on investment (ROI) basis. Instead, he says that firms are looking at big data security analytics and other solutions that do more than just detect threats.

Other headline figures from the study including the finding that 57 percent of IT pros do not think that their organisation is protected from cyber attacks, with 63 percent doubting if they can stop the exfiltration of data.

Forrester analyst Andrew Rose is not surprised by the finding that companies don't feel protected from cyber attacks.

“This is unsurprising as systems have evolved to be multi-layered and complex. Many organisations will be using multiple systems including mainframes AS400s and UNIX systems to process their critical business transactions, often all working together and hidden under a nice Windows GUI,” he told

“As the systems interact, across different operating systems and protocols, there are bound to be inconsistencies, translation errors and an acceptable level of deviance from standards, all of which enable the threats to interject.”

In response to this news, Clive Longbottom, founder and analyst at Quocirca, in part blamed the C-level disconnect to those in the information security industry.

"My take is that [the report] isn't worth the paper it is written on," he said in an email to

"Why? Because security issues have been worded in arcane language since they first came about – and this has led to the emergence of the Chief (information) Security Officer," he added.

"This means that the rest of the C-level staff can carry on as they want – cyber security is someone else's responsibility. Unfortunately, CSO staff tend to be security specialists – not business specialists, and so get in the way of business happening, with more of an approach of “don't do this”, rather than “how can we do this securely?”.


"Security has to be baked in to the business – and not just at a cyber level.  Security is a business issue, and has to include how people operate; how information is used (including via telephone, paper and any other way)."

This study follows another by Turnkey Consulting, which revealed that one in six IT security pros believe that their organisation sees security merely as "an unnecessary expense only undertaken to  keep the auditors happy."

Richard Hunt, managing director of Turnkey Consulting, said at the time: “It is concerning to see that IT security is still not perceived to be an integral part of the business.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews