The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”
Key findings from the survey include:
- 64 percent said they don’t communicate security risk with senior executives or only communicate when a serious security risk is revealed.
- 47 percent said that collaboration between security risk management and business is poor, nonexistent or adversarial. 51 percent rated their communication of relevant security risks to executives as “not effective.”
When asked why communicating relevant security risks to executives was not effective:
- 68 percent of the respondents said communications are too siloed
- 61 percent said communication occurs at too low a level
- 61 percent said the information is too technical to be understood by non-technical management
- 59 percent said negative facts are filtered before being disclosed to senior executives and the CEO
“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives,” noted Dwayne Melancon, Chief Technology Officer for Tripwire.
“However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”
For more information about this study please visit:
- Organizations Misalign Security Spending with Perceived Risks
- Key Metrics for Risk-Based Security Management
- Are Security Metrics Too Complicated for Management?
- Majority of Organizations Committed to Risk-Based Security Management
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock