Well this should come as no surprise to anyone that works in the corporate world, for the most part CEOs (and I suspect CFOs are even more clueless) really do not see security as a serious issue. I would say that a big part of this is that CISO (Chief Information Security Officers) rarely are good at describing the business risk associated with security and compliance in terms that anyone not in the security business can understand. My comments in bold under each slide.
|CEOs and CISOs don't always see eye-to-eye on information security. That's perfectly understandable, as the CEO is (and should be) removed from the specifics of the threats hitting the details of the network and defenses that have been established by the CISO. However, a recent survey released by Core Security highlights just how far apart these two C-Suite executives can be over their company's security posture. Core Security received responses to its survey from 100 CEOs and 100 CISOs in the United States in April 2012. The numbers are eye opening. Only 15 percent of CEOs said they were very concerned about an attack on their network. Nearly three-quarters of the CEOs surveyed didn't think their systems were under attack or already compromised. Contrast that with more than 60 percent of CISOs being very concerned about attacks and believing their systems were already breached. "With all of the cyber threats that are reported on a weekly, monthly and annual basis, 36 percent of CEOs don't deem it necessary to get a security briefing from the member of their executive team who oversees security," wrote Mark Hatton, Core Security's CEO. If any other area of the company posed the multi-million dollar risk that cyber-security does, management would devote the significant attention to the issue, and security should be no different, Core Security said in its report. Here are 10 ways that CEOs and CISOs differ on their views of information security.|
The responsibility here is to ensure that the CEO knows that it will be his face on newspaper article highlighting how your organizations lack of security caused the private information of dozens of your clients to be released to the public.
I would say that this is wishful thinking from CEOs as anyone with a passing interest in the world should realize at this point that almost every organization is likely are already been targeted.
This would boil down to a different way of perceiving things between CEOs and CISOs...the CISO is thinking about how things happen (and it is true most data breeches start with internal users) whereas the CEO is really only looking at the final step in the chain.
I find it very interesting that CISOs are not that concerned about the loss of mobile devices...if I were an attacker if I ever found a corporate mobile device I would load it to the gills with malware and then return it to user...being the helpful sort of fellow I am.
Similar to my previous comments, security begins with well informed employees...and consistent enforcement of security policies. All too often employees violate security policies and nothing ever happens to them...perhaps a two-day mandatory "security refresher" course would be in order for the first time an employee violates company security policies.
I suppose these feelings arise from the fact that most boards have terrible oversight and that most CEOs are forgiven if their ignorance loses the company 10's of millions of dollars...perhaps we need to start holding CEOs accountable?
Perhaps someone should ask the employees whether they actually learned anything from the "online training" they just clicked through in 10 minutes to write a 5 question multiple choice test...three times before they got it right?
This slide is the most frightening one in the whole deck...ultimately CEO is responsible for everything that goes on in an organization...if he never speaks to one of his direct reports, how can he be doing his/her job?
Sadly most executives (CISOs and CEOs) believe that if they could just purchase the right magic box then all their security worries would be over...good security is like fighting a war, your opponent is going to adapt their tactics to overcome your weapons, so there are no silver bullets in staying secure.
Well at least we end on a promising note, indeed security is the responsibility of everyone in an organization.