• United States



Contributing Writer

Corporate Executives Remain Lukewarm on Cyber Security

Dec 02, 20103 mins
Cisco SystemsCritical InfrastructureData and Information Security

Only 25% of security professionals working at critical infrastructure organizations rate executive management support as "excellent"

What’s needed for strong cyber security? Good security policies, processes, and technology safeguards of course, but highly-secure organizations also integrate security into their corporate culture — from new employees the the corner office. Since the proverbial buck stops at the CEOs desk, cyber security-conscious and proactive CEOs are a security professional’s best friend. In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at, ESG Research asked security professionals working at critical infrastructure organizations (i.e. electric power, financial services, health care, etc.) to answer respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:25% selected: “Excellent, executive management is providing an optimal level of investment and support”49% selected: “Good, executive management is providing an adequate level of investment and support but we could use more”21% selected: “Fair, executive management is providing some level of investment and support but we could use much more”2% selected: “Poor, executive management is providing little to no investment and support”3% selected: “Don’t know/No opinion”Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised. I believe there are several problems here:1. Executive management doesn’t understand the risks and thus simply eschews cyber security investment.2. Security professionals speak in a geeky dialect that executives can’t understand creating a communications gap.3. Many executives believe that a security incident would result in an inconvenience and slap on the wrist rather than a major service outage It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author