Cyber-crises and inadequate defence have started to blot c-suite performance reports. Businesses that do not align their IT security teams targets with the overall performance are causing trouble for their chief executive officers, says a new study by Thycotic.
The study covering more than 100 UK IT security decision-makers said that 61 percent of respondents conceded that their CEO is often answerable if and when security teams fail to meet security targets.
Consequences faced by the chief executive range from being grilled by shareholders (44 percent) or burning the midnight oil (40 percent) to serious paycheck-pinches including giving up bonuses (37 percent), and even a being fired (35 percent).
Interestingly, meeting performance targets set by the board did not come out on top when IT security teams were asked to describe what is success for them. More people (45 percent) rated success as being valued by the company above performance targets set by the board (42 percent).
"One of the key pillars of capitalism is that companies do what is right, because doing the wrong thing costs them money and their shareholders react by changing the board," commented Stephen Gailey, head of solutions architecture at Exabeam, citing the recent Vistaprint data breach.
"But what happens then when boards fail to understand even the most simple of Information Security principles and worse, when the shareholder organisations are similarly ill-equipped to understand the risks?"
Likeregulatory penalties, the costs of data breaches are also increasing by the day. TalkTalk’s former CEO Dido Harding recently conceded that the cyber-attack on the company cost it up to £35 million. It also cost her the job.
"The data breach at TalkTalk ushered in a new era where CEOs can and will be held accountable for IT security failures that occur on their watch. Today when cyber-security teams do not meet their targets, it impacts the CEO with longer hours, shareholder pushback, job insecurity and bonus reductions," commented Joseph Carson, chief security scientist and advisory CISO at Thycotic.
CEOs need to set IT security professionals proactive measures and appropriate budgets that demonstrate the positive contribution they make to overall business performance, he suggested.
"A good example is to appoint an IT security professional with good communication skills in charge of cross-departmental cooperation. This has the dual advantage of putting IT security on a more proactive footing and increasing the chances of spotting and remediating digital risks early before they can escalate and cause trouble at board level."