Good news but CEO participation in cybersecurity decisions and oversight carries a cost
Published: December 18, 2012
Dealing with business and executive managers has been a persistent occupational hazard for security professionals. Business managers didn’t want policy enforcement to get in the way of business productivity. CEOs and CFOs tended to eschew “good security” for “good enough security.” The biggest role they played here was that of budget cutter.
This minimalist attitude toward cyber security appears to be changing. According to ESG research, 29% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) say that executive management is, “much more engaged with information security situational awareness and strategy,” than a year ago, while another 40% of enterprise security professionals say that executive management is, “somewhat more engaged with information security situational awareness and strategy,” than a year ago.
Why the change? CEOs are reading about cybersecurity incidents in the Wall Street Journal and watching share prices of breached companies plummet. The Google Aurora security attack of 2010 and subsequent wave of APTs were also a wakeup-call for business mucky-mucks that nation states and competitors may be stealing their intellectual property out from under their noses. Whether they like it or not, CEOs now realize that they have skin in the cybersecurity game ,so they better be prepared.
Okay, so the good news is that the suits on mahogany row are finally paying attention. Here is a short list of what this means to the information security community:
Security is hard and getting harder. I’m glad executives are paying more attention but they may not like it when they find out that their security infrastructure was built on a shoestring budget and they are ill-prepared for today’s threats. The year 2013 is likely to be a nail-biter.
*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.