C-suite executives sometimes struggle to understand the vocabulary and meaning of IT security speak, often shying away from showing their need for more information, a new study by security provider Kaspersky reveals.
Data Derived From 2 Studies
Data for the report comes from two separate Kaspersky studies. One consisted of some 2,300 C-suite executives and IT security managers in one survey and a second of some 4,300 IT workers as a part of Kaspersky’s global Corporate IT Security Risks Survey.
Combined data showed:
- 98% of non-IT respondents revealed they have faced at least one IT security miscommunication that regularly leads to bad consequences.
- As a direct result of miscommunication regarding IT security within their organization, 62% of managers admit it led to at least one cybersecurity incident.
- 42% of business leaders want their IT security teams to better communicate cybersecurity incident risks and consequences, while most IT workers (76%) say they face no difficulties explaining their work to colleagues and executives.
- 34% of C-level executives struggles to speak about adopting new security solutions, while 51% of information security workers find it most difficult talking about increasing budget for IT security.
- 56% of C-levels and 48% of IT workers agree that providing real-life examples is the most efficient method to ease communication on IT security related issues.
What IT Managers Know and Don't Know
Here are some additional findings:
- While all surveyed top-managers regularly discuss security related issues with IT security managers more than one-in-ten respondents have never heard of threats such as botnet (12%), APT (11%) and zero-day exploits (11%).
- At the same time, while spyware, malware, trojan and phishing appeared to be more familiar terms, more than one in ten top managers admit they have never heard of cybersecurity terms like DecSecOps (13%), zero trust (11%), SOC (11%) and pentesting (11%).
- 33% of non-IT executives in the U.S. said they would not feel comfortable flagging that they don't understand something during a meeting with IT security.
- Although most of them hide their confusion because they prefer to clarify everything after the meeting or choose to figure everything out by themselves, 36% of manager don’t ask additional questions because they don’t believe the IT peers can explain it in a clear way.
- 43% reported they feel embarrassed revealing they don’t understand the topic and don’t want to look ignorant in front of IT colleagues.
What Kaspersky Recommends
To ease the communication between IT security and business functions within the company, Kaspersky recommends the following:
- IT security should be positioned as a driver for growth and innovation in the organization. To achieve this the IT security team should move away from prohibitive tactics and rather explain how the business can achieve its goals while mitigating cybersecurity risks.
- Chief information security officers (CISOs) should actively engage in operational activities and build relationships with the company’s stakeholders. While fewer than 20% of CISOs have established partnerships with key executives in sales, finance and marketing, it is hard for them to stay abreast of the needs of the business.
- When communicating with the board, use arguments based on an overview of threats by experts, your company’s attack status and best practices.
- Explain the board what the main responsibilities of IT security team are. If possible, provide them with an opportunity to walk in a CISO’s shoes to get insights on the most relevant IT security challenges.
- Allocate cybersecurity investments in tools with proven efficacy and return on investment. This means tools that lower the level of false positives, and reduce times of attack detection, the time spent per case and other metrics are important to any IT security team.