What's needed for strong cyber security? Good security policies, processes, and technology safeguards of course, but highly-secure organizations also integrate security into their corporate culture -- from new employees the the corner office. Since the proverbial buck stops at the CEOs desk, cyber security-conscious and proactive CEOs are a security professional's best friend. In its recent research report, "Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure" (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e. electric power, financial services, health care, etc.) to answer respond to the following question: "How would you rate your organization's management team on its willingness to invest in and support cyber security initiatives?" The responses were as follows:25% selected: "Excellent, executive management is providing an optimal level of investment and support"49% selected: "Good, executive management is providing an adequate level of investment and support but we could use more"21% selected: "Fair, executive management is providing some level of investment and support but we could use much more"2% selected: "Poor, executive management is providing little to no investment and support"3% selected: "Don't know\/No opinion"Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as "fair" or "poor." Remember too that we are talking about critical infrastructure here -- our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management's support for cyber security initiatives as "fair" or "poor." If your cell phone stops working soon, don't be surprised. I believe there are several problems here:1. Executive management doesn't understand the risks and thus simply eschews cyber security investment.2. Security professionals speak in a geeky dialect that executives can't understand creating a communications gap.3. Many executives believe that a security incident would result in an inconvenience and slap on the wrist rather than a major service outage It's time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost -- period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It's that simple. Either we do these things or we wake up one day to darkness. It is our choice.