A recent NTT Com Security survey of 800 senior business decision makers outside the IT department across industries (registration required) found that the education, actions, and opinions of senior executives has a significant impact on the organization's data security.
Executives were divided into four categories based on their understanding of security risk and commitment to protecting data. Respondents deemed "enlightened" on these topics were more likely to work in organizations that have strong data security policies, higher IT spend, and a more mature attitude about the value of their data. A minority of respondents fell into this category. Performance worsened in the organizations where executives fell into the "informed," "passive" or, worse, "complacent" categories.
Chris Camejo, director of assessment services at NTT Com Security and a leader in threat intelligence, told us the results of the survey are in line with his experience in the field. "There's probably the majority that know a breach is going to happen, and they want to do what they can to improve their defenses, and the remainder are just kidding themselves, because they're probably going to get breached, too."
According to the survey, 37% of all respondents said all the organization's consumer customer data is completely secure. "That's what's interesting to me," Camejo said. "So many people out there are saying, 'Yeah, yeah, yeah, we're secure. Nobody will steal our data,' when in reality that number is a lot closer to 100%."
He is part of an offensive security team that does system penetration testing on networks. There are two reactions he gets when he presents executives with a report of all the ways his team has broken past firewalls. "The more enlightened will say, 'That's along the lines of what they expected.' They know their security isn't perfect and want to do what they can to patch the holes. The others will argue with every finding, saying, 'No, that's not really possible. That's just theoretical.'"
Sometimes, Camejo's team is bought in by the IT guys to do the penetration testing, because they know there are issues, and they need something from a third party to drop on an executive's desk and say, "Look, we need budget and more attention on this."
Other times -- and more reflective of an "enlightened" and "informed" leadership -- the IT team tells executives all is fine, and there's nothing to worry about. "Executives come to us to test the systems and verify IT's claims. And woe to the IT guys if we compromise their network in a few hours after telling the executives everything is great." And then, of course, there is a third category, where everyone is on the same page, "everyone knows nothing is perfect and want a better handle on what they should fix first. It's not always an adversarial relationship."
Perhaps the most important disconnect between today's executives and their understanding of data security is understanding the risk to value. The report concluded that risk assessments, where decision makers look at what they are trying to protect and from whom, along with the financial implications of a breach, are still not happening enough. They should be the driver behind security decisions and where to direct budget and focus. Unenlightened respondents will be more subjective if they see the true cost of a breach.
"When you look at things like the Target and Home Deopt breach, how many people have walked out the door since that happened?" Camejo said. "If they aren't being proactive about hiring people with a better handle on information security, the problem isn't going to solve itself quickly." It will be addressed "fairly painfully."Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio