By Matt Lock, Director of Sales Engineers at Varonis
With every week seemingly bringing reports of another serious data breach hitting a high-profile organization, and the EU GDPR ushering in strict new data security laws, cybersecurity has finally become a major priority for most companies. However, establishing a strong security strategy can still be a difficult prospect.
One of the biggest challenges is aligning the various stakeholders in the business and bridging the gaps between their disparate priorities and perceptions. In particular, the two most important groups influencing the security of a company are the IT and security teams with direct experience in the field, and the C-suite making the overall budgetary and strategic decisions. If these two stakeholder groups are not on the same page, the company’s security strategy can become fragmented and ineffective. Our own research has found that the priorities for the C-Suite and IT/security teams can differ drastically in some cases.
The biggest cybersecurity worries
To begin, we wanted to gauge what kinds of cyber threats were causing the most concern and immediately found that the C-Suite and IT/security teams were in firm agreement that data loss and data theft/exfiltration were the biggest worries. This supports the assertion in Europol’s Internet Organised Crime Threat Assessment (IOCTA) that data is the ‘lifeblood’ for almost all companies; it, therefore, follows that decisions around its protection and management are of strategic importance.
Interestingly, the two groups differed heavily when it came to their third choice. The IT and security respondents found ransomware to be the next biggest concern, while the executives were more worried about data alteration, where an attacker changes records or the code in something like an automated assembly line.
Disagreeing on impact
While the two stakeholders generally had the same priorities for cybersecurity, we saw a major difference in opinion when it came to assessing the business impact of a security incident. 31 percent of IT and cyber respondents held brand perception as their main concern, followed closely by intellectual property loss. Costs such as fines and recovery expenses proved to be a much lower priority.
The C-suite, on the other hand, took the opposite stance, with costs sitting firmly as the main concern. This seems to demonstrate that IT and security practitioners are more focused on trying to protect the company’s reputation and operations as a matter of course, while executives see the impact on the businesses’ bottom lines as the deciding factor.
A lack of communication?
The biggest difference in opinion seemed to appear when we asked respondents about their security readiness, especially asking if they agreed with the statement “My organization is making measurable progress when it comes to cybersecurity”. IT and security teams were quite optimistic, with 91 percent agreeing with the statement. However, a markedly lower 69 percent of executives felt this way.
The dissimilar perceptions largely stem from a lack of clear communication about the company’s security efforts and the impact they have. This was made especially clear when it came to the ever-pressing issue of finances. 88 percent of security and IT teams stated that they could quantify how cybersecurity measures impact the business, but only 68 percent of the C-suite group felt the same.
Taken together, this strongly suggests that executives need more information about their cybersecurity investments and how they are making a quantifiable and justified impact on the company’s bottom line. If senior management is not part of the security planning process there is a problem: with more at stake in the event of a data breach, companies can no longer lay the blame solely at the door of the IT security teams if there’s a security incident.
Time to speak up, security pros
Clearly, more needs to be done to get the C-suite and IT and security teams on the same page. One of the most telling findings we uncovered from our survey was that the IT and security practitioners appeared to overestimate how well issues were being communicated and understood by their executives. 94 percent of respondents believed their company’s leadership acted on their advice about security threats. Juxtaposing this, only 76 percent of executives said that they took input and guidance from their IT and security staff on security issues.
To address this, IT and security teams need to make more effort to speak up and ensure that their concerns are clearly understood by the C-suite. Over the years, many IT heads have focused on the potential damage represented by cyber attacks, but with the threat now more clearly understood, they should ensure they communicate the positive impact of their IT and security investments as well. Whenever possible, they should relate all cyber issues back to the company’s operations as a whole.
Finally, IT and security teams should also look to secure more facetime with their leadership groups, giving them time to fully explain their concerns and the necessary investments, rather than just relying on impersonal reports and figures. If they don’t already have one, the C-Suite should also be giving the IT team a seat at the executive table to ensure their voice is heard and both groups are on the same page.
About the Author
With 20 years’ cybersecurity experience, Matt is an expert on data security and a regular speaker – and media commentator – on GDPR. An accomplished CISSP Security Consultant, he’s worked with world-leading organizations across insurance, pharmaceuticals, legal, health, entertainment, retail, and utilities. As Director of Sales Engineers at Varonis, he heads up the team which undertakes risk assessments and data governance projects, helping organizations to secure and manage their unstructured data. Through these assessments, Varonis has found alarming levels of excessive employee access to sensitive files within organizations: its recent report revealed that 58% of organizations have more than 100,000 folders open to every employee.
Matt can share insights, based on this first-hand experience on:
- How failing to lock down access to sensitive files exposes an organization to data breaches
- Why organizations need to take time to identify sensitive data and apply for permissions so it’s only accessed by the necessary people (known as a model of ‘least privilege’).