Cause and effect anyone?

A new study conducted by Dimension Research on behalf of Tripwire has revealed how executives view cybersecurity risks as well as their preparedness and confidence towards dealing with a security breach if or when it should occur.

The study, which solicited the views of 200 business executives and 200 security professionals, revealed how C-level executives considered themselves to be “cybersecurity literate,” with 100% of the respondents claiming to be so, despite the number of data breaches and other high profile attacks we’ve seen recently.

Interestingly though, IT security literacy does not translate into confidence.

Even though the number of non-C-level executives claiming a good level of understanding of security issues was a ‘mere’ 84%, C-level executives were found to be less confident (68%) than non C-level executives (80%) that briefings presented to the board accurately represented the urgency and intensity of the cyberthreats targeting their organisations.

Additionally, C-level executives (65%) were less confident than non C-level executives and IT executives (87% and 78% respectively) in the accuracy of the tools their organisation uses to present cybersecurity risks to the board.

As for why C-level execs are seemingly less confident than others in how risks are handled, Tripwire’s Dwayne Melancon had this to say:

The reality is that an extremely secure business may not operate as well as an extremely innovative business. This means executives and boards have to collaborate on an acceptable risk threshold that may need adjustment as the business grows and changes.

The good news is that this study signals that conversations are beginning to happen at all levels of the organization. This is a critical step in changing the culture of business to better manage the ongoing and rapid changes in cybersecurity risks.

While the results of the Tripwire study indicate an increased preparedness on the part of IT professionals, they expose the uncertainty at the C-level and point toward the need to increase literacy in cybersecurity and its attendant risks in the near-term, the study said.

I’m not surprised that C-level executives are less confident than their boards or IT executive staff. That lack of confidence comes, in large part, from the networking and informal benchmarking that takes place among C-level executives at the peer level.

There is a lot of ‘comparing notes’ that happens between C-level peers. When this happens, you are able to get a more informed view of where you are in your overall cyber risk preparedness. This is in direct contrast to IT professionals who generally have a more insulated view of their own cyber risk, which can lead to a false sense of security.

That difference in perspective – internal inputs vs. external inputs — may very well explain the confidence gap this survey highlights.

There could of course be another reason why C-level executives lack confidence – the blame game.

In another piece of research from Tripwire, conducted at the recent RSA and BSidesSF conferences, 250 respondents gave their opinion on who should shoulder the blame in the event of a data breach.

Chief executive officers and the company board appear to get off lightly in the view of those who took the survey, with only 28% and 10% respectively thinking the buck should stop with them following an incident.

By way of contrast, 41% of the survey’s respondents said “CIO, CISO or CSO” when asked “Who would be held responsible in the wake of a data breach on critical infrastructure in your organization”.

As for who should be left carrying the breach blame when the music stops, a similar number (35%) plumped for the C-level once again.

Tripwire’s Ken Westlin said:

Cyber security liability is difficult to assign because you have to determine who knew about the risks, and then you have to figure out what they did, or did not do about them.

If the CEO is made aware that of security risks and does not provide the resources or plans to fix them, they own some of the responsibility. On the other hand, if the CISO does not share information about risk in a format that the CEO can understand, or fails to deploy the security controls and monitoring necessary to identify potential risks, then a greater share of the responsibility falls on her.

However, cyber security is a team sport that requires active support across the organization and from all levels of the executive team.

I personally think Westlin’s observation that infosec is a team game is key and I also know from years of experience in other industries that playing the blame game tends to break that togetherness and often ends in a lose-lose situation for all concerned.

So, instead of flinging blame and identifying a scapegoat, perhaps organisations would be better served by placing an emphasis on better sharing of intelligence and, heaven forbid, better communication between everyone within the business, as well as taking a fresh look at ‘cyber literacy’ and what exactly that means to everyone and, indeed, whether it truly is an applicable label to apply to their level of knowledge.