Research from the Ponemon Institute claims to show that IT staff from more than half of businesses (51 percent) filter out any negative facts before reporting security risks to their C-level (CEO, CFO etc) bosses.
According to the independent report - entitled `Security Metrics to Manage Change: Which Matter, Which Can Be Measured,' sponsored by FireMon - 71 percent of respondents to the survey said that communication occurs at too low a level - or only when a security incident has already occurred (63 percent).
The report took in responses from 597 people working in the IT, IT security, compliance and risk management divisions of major companies.
The survey found that a security posture perception gap places organisations at risk - with just 13 percent of respondents rating the security posture of their organisation as very strong. Against this, 33 percent of respondents said that their CEO and board believe their organisation has a very strong security posture.
The Ponemon report concludes that this gap reveals the problems the security function has when it comes to accurately communicating the true state of security.
It was with this in mind that we caught up with Jody Brazil, CTO of FireMon, whose idea the report was - and we asked him what the key takeouts from the analysis were for him.
The real crux of the issue, he said, is the cost challenge in most large organisations, as most major businesses do not want to pay the real cost of `security insurance' in the shape of effective security defences.
Then there is the disconnect between different people in a typical organisation, he added, noting that the technical team often does not have the language to talk to other disciplines in the company. It is, he explained, a tough challenge.
Phil Turtle, a Master Practitioner in NLP (Neuro Linguistic Programming - defined as a language-based and behavioural approach to management) said that most people intuitively filter out any negative issues before relaying any information to their C-level managers, due to the `culture of fear' that exists in most businesses.
"Coupled with the fact that IT people are not very good at communicating to C-Level management what needs to be done, and it's clear that there is a communication gulf in play here," he said.
"The real issue here is that IT professionals only rarely have the skills needed to explain their information in a format suitable for C-Level managers to understand the nature of the problem. This means that the C-Level professional does not really understand the nature of the security problem," he added.
Professor John Walker of the Nottingham-Trent University School of Science and Technology agreed that the communications gulf challenge exists, saying he has seen it at many different companies where he has worked as a security consultant.
"It comes down the fact that people tend to be more worried about their bonuses than actively communicating the scale of the problem to their managers. The solution needs to come from the board itself, and foster a better understanding the challenges the IT security department faces on a day-to-day basis," he said.
Kevin Bailey, head of market strategy with Clearswift, said that the need to provide the reality of an organisation's security risk profile has to be consistent and in real-time.
"Companies do not expect the resolution to a malware or APT attack to be dealt with as a tick box exercise once other tasks are completed or wait for their finance teams to tell them that they have made a loss during the financial year the day before they post their fiscal results, so why should their security risk be left as 'other business' on senior management agenda items?" he said.
Bailey - a former IDC Research Director - went on to say that organisations need to revisit their investment strategies when allocating budgets, to ensure that they appreciate the tools that can provide early visibility - and resolution - to potential concerns that could severely damage the financial and reputational aspects of the company.
"Think about an organisation which has closed its eyes to social media and continued to rely on email to reach its market - by the time it acknowledged its mistake, the competition had already swarmed the prospect base, creating the need to invest heavily to catch up," he said.
"This is no different to becoming pro-actively aware of their security risk profile, if they don't do it now, the costs in financial and resources will become too steep to maintain the balance between company growth and company security," he explained.