A new report from defence and engineering firm BAE Systems has unearthed what it calls a 'disconnect' between IT decision makers and C-suite executives in cybersecurity, leading to them blaming one another for breaches.
According to the research, C-suite executives – so CEOs, CIOs, CFOs and so on – dramatically underestimate the potential cost damage that cybersecurity breaches could have on an organisation.
Cost is difficult to work out because the potential scenarios that could occur through an undetected breach can be numerous and somewhat abstract. But there was a "significant difference" in terms of understanding the cost of a successful breach, pointed out Dr Adrian Nish, head of threat intelligence at BAE Systems, speaking at a press event in central London.
Executives believed on average that a successful breach could cost as much as $11.6 million – but decision makers dealing with threats on a daily basis estimated $19.2 million.
"Interestingly enough, the C-Level execs thought it was a lower cost than what the IT decision makers estimated," Nish said. "Given that C-suites tend to come from larger organisations, it's quite an anomalous finding."
"The decision-makers might be closer to the issue – they might recognise the variety of costs that come in from the fines, and having to hire experts to do investigations and clean-up, to them having to go and improve defences," he said.
Similarly, BAE noted a gap between what the C-suites thought current spending on IT security was – at 10 percent of overall IT budget, compared to 15 percent for decision makers.
Executives in the UK believed they spent less than any other country at seven percent compared to ten percent worldwide. But they rated professional organised crime or fraud groups as the most immediate threat to their organisations, followed by hobby hackers, which chimes with data from the Office for National Statistics' annual crime survey.
Surprisingly, the C-suite respondents considered lone or hobby hackers the biggest threat for compromising their organisation's network – rather than professional, nine-to-five hackers or rogue insiders.
However, both groups believed cybersecurity was a top business priority, perhaps signifying progress about getting security into discussions at the board level. In fact, 72 percent of IT decision makers and 71 percent of the C-suite respondents agree that it is the "most significant" business challenge.
One of the more intriguing anomalies in the report is about information sharing, specifically at the C-Suite level. Most agreed that access to information – whether that's organisationally or in the wider threat landscape – was crucial to developing a cogent and effective cybersecurity strategy.
But they were also unwilling to share information on cyberattacks that they themselves were hit by – although the report doesn't delve into this, it could be for a variety of reasons, such as the impact on competition, winning new business, and damaging brand reputation.
"Only 15 percent said that under most circumstances they would be willing to share information on cyber attacks," said Nish. "For the majority it was quite caveat, and a lot thought no – under no circumstances would they share information."
"What we've got here is a lot of people saying yes, we need more information on cyber attacks – we need intelligence – but on the other hand being unwilling to actually share information. So there's a bit of a gap there that needs to be addressed."
According to BAE, this divide between the top brass and IT teams will translate into a real-world negative impact when breaches do hit.
"There's a divide between the decision makers and the C-suite in terms of the perception of different threats, who is responsible or accountable," Nish said. "This is certainly a weakness – this gap is something that will lead to weaker defence, and organisations not being able to prepare for attacks.
"Clearly, more work needs to be done around strategy and where spend is going – and more information to bridge that gap."
What can organisations do to address this? According to Nish, it's accountability that is a "key point to reflect on".
"You need to find who in the organisation is actually accountable for a cyber breach," he told Computerworld UK. "Once that understanding is there and it's their responsibility, they can start thinking about putting reporting lines in place, putting in place the relevant information or intelligence they need to understand the nature of the threat, and ultimately what resources they need to throw at the problem.
"I would say the more information people have and the better quality information people have, both about the threat landscape and what the issues are in terms of strategic and tactical specifics in their organisation, the better informed they are to make the decision. Getting that quality information is part of the challenge."
Could it be a fairly typical cultural disconnect – that C-level execs are detached from the day-to-day running of the show?
"It may be," Nish said. "I think that's just the nature of how things are evolving – plus the scale, because it's global as well. I get an email each day of cyber attack information, and I'm a professional whose responsibility is to understand all this.
"The volume is enormous and the pace at which things are moving means it's challenging," he said. "So for somebody who's a C-suite and has a range of things to deal with – knowing what's relevant to them is the challenge."
Although the report doesn't go into the specifics, Nish pointed out that part of the problem might be where C-level execs are getting their information from – for example, sensationalised headlines in the press about hobby hackers, rather than intelligence reports by third parties and from within their organisations.