Nearly a third of IT security teams never speak with their company's executives about cyber security and of those who did, 23 percent spoke to them only once per year, according to a new Ponemon Institute report.
This lack of communication and security awareness can greatly increase companies' risk of experiencing some kind of attack, according to Jeff Debrosse, directory of security research at Websense, which sponsored the “Roadblocks, Refresh, & Raising the Human Security IQ” report released today.
In a Wednesday interview with SCMagazine.com, Debrosse predicted that the "31 percent [of IT teams that do not speak with their corporate executives] will, at some point, find themselves on the front page because they're not having a conversation about insider threats, APTs, etc."
But even though they aren't discussing threats with upper management, security teams are constantly thinking about them, which could contribute to the communications breakdown. An overworked employee might not have time to assemble a report and attend a meeting, though Debrosse explained, this is precisely what they need to do. The executive suite might take silence on the IT team's part to mean that everything is running perfectly when, in reality, additional support or funding might be needed.
IT teams need to “really insist and show the ‘why' of having security as part of executive team meetings and discussions,” Debrosse said. Whether that means offering a quick to-do list or even stating that nothing has changed, it's important to show the IT security team's presence and differentiate themselves from the general IT department.
He suggested that security leaders take advantage of cyber threat models, such as the NIST "Risk Management Framework," to concretely show the cost of risks and their solutions as well as to defend budget requests.
The report, which surveyed more than 160,000 IT security professionals in 15 countries to determine the challenges they face in dealing with cyber security threats, also found that 47 percent of respondents felt frequently disappointed with the level of protection their security solution offers, and that 52 percent of companies do not provide cyber security education to their employees. The majority of those surveyed work for financial companies, and the United States and India accounted for the largest portion of respondents.[An earlier version of this story cited the US-CERT 'MERIT' threat modeling project. The reference has been changed to NIST "Risk Management Framework."]