Majority of CEOs misidentify their biggest cyber threat – often at odds with their technical officers
A majority of CEOs are incorrectly citing malware as the primary cyber threat to their organisation's security and are investing in strategies at odds with the views of their technical officers, according to a new report.
The study of more than 800 CEOs and technical officers (CIOs, CTOs and CISOs), commissioned by cybersecurity solutions provider Centrify and carried out by Dow Jones Customer Intelligence, has uncovered a fundamental disconnect between CEOs and their technical colleagues, who correctly understand that identity breaches rather than malware are the primary issue affecting cybersecurity. As a result, cybersecurity strategies, project priorities and budget allocations don't always align with real security threats, nor do they help companies to deal with most breaches. The study finds that 62% of CEOs cite malware as the primary threat to cybersecurity, compared to only 35% of technical officers.
Yet of those executives who have experienced "significant breaches", only 8% say that anti-malware endpoint security would have prevented them, while 68% indicate they would most likely have been prevented by either privileged user identity and access management, or user identity assurance.
"This report makes a strong argument that companies need to listen more closely to their technical officers." Tom Kemp, Centrify CEO
"While the vast majority of CEOs view themselves as the primary owners of their cybersecurity strategies, this report makes a strong argument that companies need to listen more closely to their technical officers," says Tom Kemp, Centrify's CEO. "It's clear that the status quo isn't working. Business leaders need to rethink security with a zero trust security approach that verifies every user, validates their devices and limits access and privilege."
According to the study, investment decisions are frequently caused by misplaced confidence in the ability to protect against breaches, putting organisations at a significant risk. While technical officers are more aware of the real threats, they are frustrated by inadequate security budgets, as spending is strongly aligned with the CEO's priorities rather than with actual threats.
Misaligned cybersecurity strategies
The study also discloses that the disconnect between CEOs and their technical colleagues leads to misaligned security strategies and tension among executives.
81% of CEOs say they are most accountable for cybersecurity strategies, while 78% of technical officers make the same ownership claim. Yet only 55% of CEOs say their organisation has experienced a security breach, whereas 79% of CTOs acknowledge they've been breached.
"Centrify's research reveals that a primary reason for conflicting cybersecurity strategies and spending is that C-level executives and technical managers don't always see eye-to-eye regarding security priorities, and a misaligned C-Suite can put the organisation at risk," says Garrett Bekker, principal security analyst at 451 Research. "Modern organisations need to rethink their approach and adopt a framework that relies on verifying identity rather than location as the primary means of controlling access to applications, endpoints and infrastructure."
CEOs place a greater priority on reducing the costs of a breach than on protecting brand reputation
Perhaps surprisingly, CEOs place a greater priority on reducing the costs of a breach (55%) and improving shareholder value (45%), than on protecting brand reputation (35% compared to 52% of technical officers) and maintaining competitive advantage (24% and 42% respectively). In the UK, while nearly two-thirds of respondents believe investigation, remediation and legal costs are the most important consequences of a security breach, just 11% think damage to a company's reputation is the most important concern.
The study says they are in danger of being "penny-wise and pound-foolish" if they fail to consider the impact of reputational damage. Other findings support the argument that CEOs are basing their cybersecurity strategies on faulty assumptions. For example, they are much more likely than technical officers to say that their company will reduce every type of cyber threat over the next two years.
The difference is greatest for malware, where 49% of CEOs say their firms will reduce this threat substantially, compared with only 28% of technical executives.
This CEO viewpoint seems to mirror their spending priorities and reflects a kind of "cognitive dissonance", says the study. Because they emphasise malware spending, CEOs believe that's where the risks will be, even though most day-to-day breaches aren't caused by malware, no matter how dramatic the headlines about them may be. "It's no surprise that the C-suite often points to malware as the biggest threat," says Barry Scott, Centrify's EMEA CTO. "Sensational headlines about major attacks could be to blame, which companies see and react to often mistakenly, when in fact identity-related attacks - such as stolen or weak passwords and attacks on privileged users within organisations - are the primary threat to cybersecurity today."
CEOs also express frustration with security technologies that provide a poor user experience and cause their employees to lose productivity. Sixty-two percent of them say that multi-factor authentication is difficult to manage and is not user-friendly, while only 41% of technical officers say this is the case. For their part however, technical officers would do well to understand the overarching implications of solutions they propose for their companies, including areas such as user experience.
Free Download: Security sector insights in the age of terror and the cyber-attack
This round-up of articles, which distills several presentations from IFSEC 2017 to their key tips and insights, focuses on counter-terror and cybersecurity - especially regarding physical security
systems - as well as drones, access control trends and CCTV procurement.
Paxton named in The Sunday Times 100 best companies to work for
Data-driven surveillance and the privacy-security balance: 'Question Time' insights from Tony Porter, Lord Paddick and more