A recent Ponemon Institute survey reveals a gap in perceived security preparedness between the board of directors and IT executives.

 

  • Approximately 59% of board members rate their cybersecurity governance practices as very effective, while only 18% of security pros believe this to be true.

 

The issue with the divide on what constitutes IT risk preparedness within the enterprise has an effect that extends beyond broken lines of communication.  Since the board members are in charge of the company’s overall performance, this type of gap allows for the perpetuation of other problems that keep an organization away from effective risk management posture.

 

One area includes security training and education.  If leadership is under the impression that their risk posture is in good standing, they won’t be as motivated to ensure security training programs take place.  Training is important for the organization because it isn’t enough to have a risk management plan, businesses must also train employees to make sure best security practices become routine.  Human error is one of the top reasons for breaches, which means employees continue to do things that put data and the enterprise network at risk such as falling for phishing scams, misplacing devices that hold company data, and not keeping their passwords private. Education is also important because the IT team should continue expanding their knowledge on risk management issues and industry advancements.  They should have the opportunity to grow their skills as security professionals in order to better secure the organization.

 

Another problem that arises from board members believing their organization’s risk management practices are effective (when they are not) is the limited resources that get allocated to the IT department.  When only a small portion of the company’s budget is placed for securing the enterprise, it makes it quite challenging for the CIO to expand risk management measures.  Since finding vulnerabilities and keeping an eye on the network as much as possible requires time and manpower, having limited funds means organizations can invest in only a part of what can make this oversight effective.  Tools such as anti-viruses or firewalls become the first stop, while having the possibility to call on an external security consultant with the expertise and personnel needed to come in monthly and audit the network becomes something unattainable unless breach happens.  If we recall breaches such as the OPM one or Target; both cases had to call on an external security expert company once they were breached.  If we look at the Hacking Team incident, we discover that those tools organizations use to secure their environment are not always as secure in protecting data or keeping it private, as businesses think.

 

Although most decision makers across an organization consider security risks a top concern, the fact that they have different ideas on how prepared they are to face threats or not, could be one of the reasons why organizations aren’t making much progress in resolving the open gaps in their enterprise’s security posture.  Thankfully, industry surveys and news coverage allow for these issues to rise to the surface and help organizations understand the need for additional steps to truly get their risk management posture on track.  In this case, the board of directors and IT security executives need to get on the same page when it comes to their organization’s security readiness.
Do you know where your risk management readiness truly stands?

 

Photo courtesy of Stuart Miles