It was surprising that "the information is just not getting up to the C-suite," Mike Potts, president and CEO of Lancope, told Security Watch. "We talk about this stuff all the time," he added.
Companies are spending millions of dollars on security products and services and still getting breached, according to Lancope, who commissioned the study. In fact, Gartner said $67 billion was spent on IT security products globally in 2013. Yet $250 billion worth of intellectual property is stolen from companies each year. Where is the disconnect?
No Regular Updates
Many executives may look at all the security spending and think, "I got all this stuff, I am done," Potts said. If they are not receiving regular updates and information about the organization's overall security posture, then there is no reason to revise that view. But that's not how it should be. "The current scenario is not 'set and forget,'" Potts said.
While the survey didn't ask why IT personnel weren't raising the issues with the C-suite, Potts suggested the issue may be related to how security is measured within the organization. Half of respondents said they had no metrics to measure the effectiveness of their incident response capabilities. This means they are unable to translate the threats and problems into language the senior executives—concerned about the overall business—can understand or work with.
It's also very likely that even if the discussions about security happened, that executives were receiving a very "watered down" version of the problems, Potts said.
"Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis," Potts said.
Part of the problem is an investment issue. Half of the respondents in the survey said less than 10 percent of their overall security budget is earmarked for incident response, and despite the growing pace of attacks and threats, most said they have not increased that allocation in the past two years.
It makes sense. If the C-level executives don't realize what the risks and threats are, then they won't prioritize the budget. If the executives know the potential loss or damage is going to be fairly large, then they can act accordingly to close that gap. Executives need to "have the right information to make the right investments," Potts said.
Need to Change
About 68 percent of respondents said their organizations had experienced a data breach or some other security incident in the past two years. Of that group, almost half, or 46 percent, of the respondents said another incident was "imminent" and could happen within the next six months. This is serious, and clearly, the C-suite should be concerned and working with IT to make sure necessary steps are being taken, right?
Not according to the survey, because the majority of the 674 IT and security professionals in the survey claimed they were not escalating these issues or letting the senior executives know what was looming. Makes you wonder just how much the Target CEO knew before he was thrust into the national spotlight and asked to discuss the breach, doesn't it?
Potts was hopeful that the data breach at Target and other retailers would act as a wake-up call for others. Maybe Target will change how organizations communicate, and "make it easy to tell the C-suite about security problems," Potts said.