The role of senior business executives in beefing up security is significant, and CIOs responding to the survey expressed concerns with their executives' approaches to security. Indications are that CIOs often see their executives as paying lip service to aligning their companies' business practices with security concerns. At the same time, CIOs don't seem to be taking all the steps they could or should be taking in order to make security a higher priority for their companies.
CIOs gave their senior business executives a sub-par average score of 4.5 on a 10-point scale of security awareness. CIOs who cited security as a high priority graded their execs slightly higher: 5.1, versus 4.1 from less security-conscious CIOs.
Sixty-five percent of respondents said they'd met with senior executives during the past 12 months to discuss security. And 74 percent said their colleagues understood the concerns raised and seemed willing to make changes to business practices to make their companies more secure.
Still, a full 30 percent of CIOs said those same business executives forced their CIOs to cancel planned changes to business practices to ensure better security after receiving complaints from business units or end users.
Just 48 percent of respondents said their IT departments had performed a formal risk assessment to determine their organizations' current level of security risk. And only a third said their companies conduct simulated security breaches in order to determine their points of security risk.