Security Slideshow: Information Security: Views of CEOs, CISOs Diverge SharplyBy Fahmida Y. Rashid | Posted 06-21-2012
Concerned About Breaches
The survey asked, "How concerned are you about your IT systems getting hacked?" The majority of CEO respondents were "somewhat concerned" while the majority of CISO respondents were "very concerned." Twenty percent of CEOs polled were not concerned at all. Only 4 percent of CISOs polled were that confident.
Security experts warn that companies are often under attack or compromised for weeks or months (even years) before the hack is detected. Only 4 percent of CEOs polled thought that was definitely the case, compared to 15 percent of CISOs.
CEO respondents felt external attacks, such as phishing and social engineering, were the greatest threats to the organization's security, while CISO respondents were more likely to blame employees.
CEO respondents were more likely to list phishing and social engineering attacks as the greatest threats to the company's IT infrastructure than CISO respondents, who ranked it a distant second. CEOs polled were more concerned about the prospect of lost or compromised mobile phones and other portable devices than were CISOs.
The workforce was the primary concern for CISO respondents, who claimed that a lack of employee education and diligence posed the biggest threats to the organization. Phishing (a distant second) and nation-state attacks (third) weren't as critical to CISOs as were the internal issues.
The buck stops - sort of - at the CISO's desk. Only 4 percent of the CEOs polled felt their jobs would "definitely" be on the line if the company were hacked, compared to 14 percent of the CISOs.
Time for Training
While CEO and CISO respondents agreed that they had enough time to sufficiently train and educate their workforce.
Only 8 percent of CEO respondents claimed their CISOs update them on the state of IT infrastructure security every day, compared to the 11 percent who said they do so once a week. In fact, 65 percent of the CEOs polled said they don't have the information they need to translate IT risk into business risk.
CEOs and CISOs agree on one thing: The bad guys are winning. Both groups strongly felt that hackers were ahead of the security curve, although 42 percent of CISOs thought the "good guys" were pushing ahead.
Security as a Joint Responsibility
CEOs and CISOs alike believe security is not their responsibility alone, but one that requires work and support across all parts of the company. CISOs were less likely to favor the go-it-alone approach to security.