Survey: execs clueless, security pros unsure in fighting cyberattacks

A survey conducted by the Ponemon Institute points to a need for more information sharing between organizations and better communications between security pros and upper-executives

IT security pros lack confidence in preventing cyberattackers from stealing high-value data and say upper-management lacks an understanding of the potential losses, a global study shows.

The findings of the survey, sponsored by Websense and conducted by the Ponemon Institute, point less to a need for technology and more to a lack of shared intelligence on cyberthreats and poor communications between security pros,CEOs and board-level executives, Jeff Debrosse, director of security research for Websense, said Tuesday.

[Senior managers fumble security much more often than rank and file]

The survey of nearly 5,000 IT security pros in 15 countries, including the U.S., found roughly six in 10 convinced the organizations they worked for were not adequately protected against advanced cyberattacks. About the same percentage felt the same when it came to stopping the theft of confidential data.

The lack of confidence is expected, given that no security products are capable of building an impenetrable wall against attacks, Debrosse said. To bolster confidence, security pros should share attack intelligence to get a better understanding of their foes and how to defend against them.

"We can get a lot better at what we do once we start to formalize and come up with an acceptable vetting process to share information between organizations," Debrosse said.

Progress towards more information sharing between organizations has been slow, due to fears that rivals would use the data for competitive advantage, experts say. Companies often require layers of non-disclosure agreements that hamper efforts.

Government information is also hard to get due to fears of compromising national security.

Most private data shared today is between large organizations within single industries. In 2013, President Barack Obama issued an executive order requiring federal agencies to share more information with critical infrastructure owners and operators. Efforts in that area are ongoing.

As to the relationship between a company's leaders and security pros, eight in 10 of the latter believe upper-executives do not equate losing confidential data with loss revenue, the survey found.

Other recent Ponemon research has found that the average cost of a data breach within an organization is $5.4 million. But despite that potential loss, nearly half of survey respondents said board-level executives had a "sub-par understanding of security issues."

[Survey results reveal both IT pros' greatest fears and apparent needs]

Executives often do not have a grasp on the state of defenses in an organization because security pros will describe problems in esoteric terms, Debrosse said. Security techs also tend to have "a bias that if you don't speak my techno-lingo, you must not be bright."

To clear this hurdle, both sides have to take into account each other's expertise in solving security problems. Executives have to get a fuller understanding of the risks associated with cyberattacks, and security pros need to focus on the cost-effectiveness of the approaches they take in locking down data.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)