Are executives at Britain’s biggest companies ‘cyber-literate’? It turns out to be a tough question to answer according to a new survey of board-level members at FTSE 100 firms by security firm tripwire.
The firm questioned 101 board-level executives and 176 IT professionals outside the board about their experiences, finding that 54 percent of the executives rated their fellow members’ understanding of cybersecurity as ‘excellent’ with nearly 40 percent believing it to be ‘good’.
Only an incredibly tiny number thought it was ‘poor’.
Professionals outside the board level were less certain about the knowledge of boards, with 16 percent expressing some reservations. That still left 71 percent majority expressing a high degree of confidence. For the board members the split was 80 percent positive to 20 percent negative.
Tripwire also asked an interesting question about which security events had had the most impact on the awareness of boards. A security breach came first with 35 percent – not surprising perhaps – but specific incidents also seem to have had a major impact.
The Heartbleed vulnerability was mentioned by 19 percent, the Sony Pictures and Target breaches by 17 percent each, and the Snowden leak by surprising 8 percent. It seems C-level executives do pay attention to the news and have some awareness that these events are not disconnected from their own enterprises.
"There’s a big difference between cybersecurity awareness and cybersecurity literacy,” commented Tripwire’s CTO, Dwayne Melancon who suggested that the survey painted a more positive picture than was justified.
“If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work.
“I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks.”
That’s an interpretation but it could also be the case that executives at the largest firms are not where the problem lies. With an army of researchers to keep them informed, one might expect the FTSE 100 to score well.
In fact the Tripwire survey suggests cyber-literacy among FTSE 100 executives is probably not bad at all. There is a widespread suspicion that boards aren’t terribly well-informed on computer security but no clear evidence ever emerges, nor is there agreement about what a perfect state of cyber-literacy would look like in any case.
A separate but related report by Vormetric this week found that perhaps it is the executives and IT staff who represent the biggest risk rather than their state of their knowledge.
Fifty-four percent of the 204 UK and German decision asked rated ‘privileged users’ (including admins but also executives) as posing the biggest threat to their organisation it in terms of data protection. Perhaps all that cyber-awareness has a downside.