Are IT executives blind to cybersecurity threats?

Is your company’s cybersecurity keeping you up at night?

If you’re an IT professional, the answer to that question is probably yes. If you’re an IT executive, the answer to that question might be no – even if you work at the same company.

What we’re seeing, says Jack Danahy, co-founder of Barkly, a Boston-based endpoint security startup company, “is a breakdown in communication.”

That’s what Barkly found in its “Cybersecurity Confidence Report.” In it, Barkly surveyed of 350 IT professionals and found that 50 percent are not confident in their current security products or solutions.

However, the story is different at the executive level: Nearly 70 percent of IT executives said they have confidence in their current security/solution. There’s a disconnect in measuring return on investment, too: About 70 percent of IT executives said they’re confident that can be determined while less than 50 percent of IT pros said the same thing.

Unsecure thoughts

Danahy says that one reason IT professionals are so worried about their security is because bad stuff keeps happening. One third of respondents didn’t know how many had happened at their companies in the last year. Of those who could quantify it, the average was 2.7.

For the IT professional, 2.7 is 2.7 too many. For the IT executive? They perceive that number as something different.

“The exec says that’s awesome. From the perspective of the IT professional, it’s ‘Oh my goodness look at all these attacks I have to worry about,'” Danahy says. “They’re more worried about attacks because they’re “a little bit closer to the threat.”

“IT professionals tend to manage individual system components,” says Steve Bell, security expert at BullGuard, an Internet and mobile security software company. “They know how everything fits together and the vulnerabilities.” They have a “microview,” which can lead them to be less confident because they see flaws and how some security solutions slow down business – and they seem them on a daily basis. 

IT executives, however, often have a “false sense of security” because of a blind faith in technologies like firewalls and intrusion detection systems. “It’s almost as if a list of required products has been ticked off and that’s it, end of matter.”

That false sense of security can have IT executives not only disconnected with the reality of their security situations, but having a blind spot from what threats are really going on. According to a recent study by Proofpoint, phishing via social engineering – which exploits weaknesses in people, not security – is becoming, once again, one of the most common techniques cybercriminals use to break into a company’s system.

For that reason, Jay McLaughlin, chief security officer and senior vice president of Q2 Holdings has lead a program to phish their own employees. “I really do think it’s not a matter of if but truly a matter of when that occurs,” he said.

But that’s not something a company would do if IT professionals and executives were not talking to each other to identify what – and who – was really at risk.

Changing the conversation

Communication is what will get IT professionals and executives on the same page, says Bell.

It’s about communication and the need to talk to each other in a language that both understand,” Bell says. “IT might talk in terms of updates, breaches and vulnerabilities. The executive team talk about technology in the context of the business.”

For IT professionals, that different conversation means knowing what priorities executives have an why. “Sure they think they’re communicating what management needs to know to make good decisions, but it’s hard,” Danahy says, because sometimes priorities are mismatched. A concern for price or efficacy or easiness of deployment might trump how well something actually works.

For executives, they need to start asking better – and deeper – questions.

“Executives won’t say ‘what have you done and where are we at?’ The following question that might be a little bit more for a management professional to ask is ‘What are you worried about?'” That, Danahy says, could lead the IT professionals to say what they’re spending their most time on, things that might be hidden from the executive view otherwise.

That’s especially true if It professionals feel overwhelmed, or helpless, in the security fight. Bell says that’s when outside help might need to be called in. “Expert object insight can shine light on the issues fairly rapidly, whether it’s penetrating testing, security policy assessment or a system review,” he says. “Often this in-house expertise can be missing, especially if the executive board hasn’t bought into the importance of security for the business.”