Better communication between security and executive team key to better security
A new survey from the Ponemon Institutue about security metrics and the interaction between security teams and executives sheds some great insights on the communication or rather the lack thereof between security teams and senior executives. After reviewing the results it might help explain why security at many midmarket firms is not as good as it should be.
Without even getting into what metrics you should measure and what you should report, the survey shows some startling findings around how security admins and the executive team interact (or at least how they perceive each other to interact).
There would seem to be a disconnect about how strong the organizations security posture was as perceived by the security pros versus what they though the executives thought. Security pros felt that 66% of executives thought that their organizations were either very strong or well above average. While only about 39% of security pros felt that their organizations were very strong or well above average.
Looking further into why executives don’t have a realistic view of the security posture of the organization, respondents cited several factors that all scored more than 50%.
Interestingly over 70% of respondents think communication is at too low a level (I assume on the executive side). Does this mean high level executives are not engaged? The next most popular choice, only communicating when there is an incident is a classic issue and in more than just security. Two of the popular answers that information is too technical and negative facts are filtered, are two that I have heard many times.
Many security pros tell me they have to “dumb down” security metrics to allow executives to understand them. Others have said that any technical information just shuts executives down from paying attention. My issue is there are some things that are important and can’t be dumbed down without losing its importance. We need to convey the real importance and it may take a little deeper understanding. This screams to why you need a security person in the executive room. However, even today most midsize organizations do not have a CISO or equivilent as part of their executive team.
Filtering out negative facts is another common problem. No one wants to be the bearer of bad news. Security has gotten a sky is falling reputation. Afer a while we move from chicken little to the “boy who cried wolf” and no one pays attention. This is certainly borne out in the survey answers.
Perhaps the most surprising responses were on when does the executive team meet with the security team:
Over 50% of respondents said they meet with the senior executives only when a serious risk is revealed or that they don’t communicate at all. That is scary. Scarier still is that only 13% of organizations have regularly scheduled meetings.
The rest of the report is chocked full of more great information and insights. .
Until security teams can get their heads around which information is important and then tackle how to best show it to the executive team, we are destined to repeat many of the failures of the past. That is too bad. Let’s hope for all of our sakes that we begin to answer these questions soon.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions