Although there is near-uniform agreement in the C-suite that cyber-security is a key concern, top corporate executives may not be prepared to respond to cyber-threats, according to IBM's Securing the C-Suite report, which examines security trends and attitudes of 700 C-level executives, excluding chief information security officers.
More than 94 percent of the C-level executives polled (including CEOs, CIOs and CTOs) indicated that there is a probability that their organizations will be affected by a cyber-security incident within the next two years, the study found. Although nearly two-thirds (65 percent) said their cyber-security plans are well-established, only 17 percent said they feel capable and prepared to actually respond to cyber-threats.
"C-level executives know that security is important, but they don't always get to the next level of engagement," Diana Kelley, executive security advisor, IBM Security, told eWEEK.
IBM's report highlights a trend that it calls a confidence paradox, where the reality of cyber-security readiness is different from the perception, based on the role of the executive.
"When you aren't as close to security, you might feel more comfortable," Kelley said. "If you're a high-level executive, you generally want to hear reports that things are going well."
As a function of the reporting structure at companies, often C-level executives (except for chief information security officers (CISOs)) aren't always exposed and aware of the day-to-day reality of cyber-security, Kelley said.
The study points to a collaboration disconnect: 69 percent of C-suite executives indicated that their organization's security plans do not adequately incorporate cross-C-suite collaboration.
Two-thirds of respondents agreed that information should be shared to help improve cyber-security. Yet when asked if they would be willing to share such information, only one-third of respondents indicated that they would, in fact, be prepared to do so.
"So they know that they need to share data, but they're afraid and just not willing to actually share the data," Kelley said.
There is still a metrics challenge when it comes to security, Kelley said. "How do we report out the right metrics about risk exposure, and how do we bring that to the board. So an executive might be looking at a lot of green lights on a dashboard, but if you dig under the covers, the details might show some challenges."
However, pulling together the right security metrics that are meaningful is not easy, Kelley said. A simple metric, such as days since last breached, is not enough, said Kelley who advocates for better security engagement and continuous monitoring for security.
"So instead of brittle reporting mechanisms like days since last breached, or time to patch, organizations need to have a more holistic view of what the real risk profile is," Kelley said.
While technology can help improve visibility and enforce control, true security is enabled through a combination of people, process and technology, she said. "There are things that technology can do a lot faster and better than humans, but humans are the ones who are interacting with the systems and writing the programs and the policies. If you don't have the right policies in place and the right people using the technology, it won't work."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.