Are IT executives blind to cybersecurity threats?

If IT leaders and IT workers can’t agree that there’s a problem, what are the chances that they’ll actually implement the cybersecurity policy they need?

Is your company’s cybersecurity keeping you up at night?

If you're an IT professional, the answer to that question is probably yes. If you're an IT executive, the answer to that question might be no – even if you work at the same company.

What we're seeing, says Jack Danahy, co-founder of Barkly, a Boston-based endpoint security startup company, "is a breakdown in communication."

That's what Barkly found in its "Cybersecurity Confidence Report." In it, Barkly surveyed of 350 IT professionals and found that 50 percent are not confident in their current security products or solutions.

However, the story is different at the executive level: Nearly 70 percent of IT executives said they have confidence in their current security/solution. There's a disconnect in measuring return on investment, too: About 70 percent of IT executives said they're confident that can be determined while less than 50 percent of IT pros said the same thing.

Unsecure thoughts

Danahy says that one reason IT professionals are so worried about their security is because bad stuff keeps happening. One third of respondents didn't know how many had happened at their companies in the last year. Of those who could quantify it, the average was 2.7.

[Related: 8 tips for recruiting cybersecurity talent]

For the IT professional, 2.7 is 2.7 too many. For the IT executive? They perceive that number as something different.

"The exec says that's awesome. From the perspective of the IT professional, it's 'Oh my goodness look at all these attacks I have to worry about,'" Danahy says. "They're more worried about attacks because they're "a little bit closer to the threat."

"IT professionals tend to manage individual system components," says Steve Bell, security expert at BullGuard, an Internet and mobile security software company. "They know how everything fits together and the vulnerabilities." They have a "microview," which can lead them to be less confident because they see flaws and how some security solutions slow down business – and they seem them on a daily basis.

IT executives, however, often have a "false sense of security" because of a blind faith in technologies like firewalls and intrusion detection systems. "It's almost as if a list of required products has been ticked off and that's it, end of matter."

That false sense of security can have IT executives not only disconnected with the reality of their security situations, but having a blind spot from what threats are really going on. According to a recent study by Proofpoint, phishing via social engineering – which exploits weaknesses in people, not security – is becoming, once again, one of the most common techniques cybercriminals use to break into a company's system.

[Related: People are (still) the biggest security risks]

For that reason, Jay McLaughlin, chief security officer and senior vice president of Q2 Holdings has lead a program to phish their own employees. "I really do think it's not a matter of if but truly a matter of when that occurs," he said.

But that's not something a company would do if IT professionals and executives were not talking to each other to identify what – and who – was really at risk.

Changing the conversation

Communication is what will get IT professionals and executives on the same page, says Bell.

It's about communication and the need to talk to each other in a language that both understand," Bell says. "IT might talk in terms of updates, breaches and vulnerabilities. The executive team talk about technology in the context of the business."

For IT professionals, that different conversation means knowing what priorities executives have an why. "Sure they think they're communicating what management needs to know to make good decisions, but it's hard," Danahy says, because sometimes priorities are mismatched. A concern for price or efficacy or easiness of deployment might trump how well something actually works.

For executives, they need to start asking better – and deeper – questions.

"Executives won't say 'what have you done and where are we at?' The following question that might be a little bit more for a management professional to ask is 'What are you worried about?'" That, Danahy says, could lead the IT professionals to say what they're spending their most time on, things that might be hidden from the executive view otherwise.

That's especially true if It professionals feel overwhelmed, or helpless, in the security fight. Bell says that's when outside help might need to be called in. "Expert object insight can shine light on the issues fairly rapidly, whether it's penetrating testing, security policy assessment or a system review," he says. "Often this in-house expertise can be missing, especially if the executive board hasn't bought into the importance of security for the business."

Join the CSO newsletter!

Error: Please check your email address.

More about Proofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place