Cyber-security: tense topic for IT pros to discuss with their bosses

News by Danielle Correa

More than half of cyber-security professionals find it difficult to highlight possible security system weaknesses for senior management, while the rest find it more difficult to admit something has gone wrong.

European IT security pros are under a lot of pressure from adversaries when it comes to cyber-security. However, new research from Palo Alto Networks reveals a profession that is more determined and confident than might be expected. Over 1,000 IT pros in France, Germany, the Netherlands, Sweden and the UK were surveyed.


The real tensions lie in the difficult conversations that IT security managers must have with senior management after an attack occurs. After a security breach, 32 percent report their bosses expressed confusion about why it happened at all. Nearly 20 percent say senior management blamed the team and 10 percent blamed them personally. In fact, a third of IT pros say that involving senior management makes matters more difficult.


The most awkward conversation comes about when human failure is a factor (28 percent), followed by a supplier being to blame (23 percent) or the need for more investment to mitigate future risk (21 percent).


EU legislation is also expected to increase managerial tensions. Forty-seven percent of IT pros anticipate awkward conversations with senior management about new breach notification requirements. Many (63 percent) are positive about the legislation's impact, but respondents are concerned it will add unnecessary costs and complications and cause operational strains (56 percent).

In emailed commentary to, Greg Day, vice president and regional chief security officer, EMEA, Palo Alto Networks said: “When we look at security professionals' attitudes towards upcoming EU GDPR, many see the legislative changes as positive in both reducing incidents and changing perceptions. Whilst many expect some uncomfortable discussions with their senior management, this is an opportunity to educate business leaders – and in doing so to find a more real-world balance of expectations – as incident analysis and notification will drive greater knowledge and experience across the industry.

“The EU legislation is a welcome opportunity to better engage the business in the cyber-security discussion and raise the bar. It is equally a point at which to shake up what may be outdated cyber-security concepts and beliefs. In a cyber world that is so dynamic, this is as close to a reset – or to use the technical term, ‘CTRL + ALT + DEL' – as we are likely to see, at least for the foreseeable future. As such, security leaders should leverage the legislation to redefine the principles of what cyber-security can and should be in their business, rather than continuing to evolve decades-old, uniform concepts based on a very different IT foundation,” Day continued.


The most common reasons for not reporting an incident today was that the breach was too minor (30 percent), the IT pro was too busy (27 percent) or the person who caused it was part of the senior management team.


Years of cyber-attacks have not left IT security pros reeling, but more experienced and determined to prevent attacks. Most (60 percent) said a cyber-incident provided them with the chance to learn from the experience and come back stronger, while only nine percent said it would lead to their job termination. Taking a strong preventative posture is the overwhelming strategy with, about two-thirds of the cyber-security budget being allocated to it across Europe.


“The tensions and gaps in understanding illustrated by this study are apparent. As I talk to companies across EMEA, I spend a lot of time helping them determine how IT security professionals and the rest of the senior management team can get closer on cyber-security issues that are so serious and strategic. Technology can help in simplifying the processes involved, preventing and automating effective responses to incidents. But it's clear that there needs to be more open dialogue within the senior management team to execute and continually improve on cyber-attack prevention strategies,” said Day.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews