According to a new report from
Kaspersky, 80% of top-tier managers in the U.S. admit that a miscommunication
with the IT department or IT security team has resulted in at least one
cybersecurity incident in their organizations. In regards to personal
attitudes, the majority of non-IT executives cited a diminished sense of
cooperation between different teams (43%) and said the situation makes them
question their colleagues' skills and abilities when communicating with their
IT-security employees (56%).
A recent Forrester
analytics survey found that companies spend an average of 37 days and
of $2.4 million to detect and recover from a cybersecurity breach. To determine
how much mutual understanding between executives and information security teams
affects company's cyber resilience, Kaspersky conducted a global survey of more
than 1,300 business leaders.
According to the results of the study, 98% of non-IT
respondents experienced miscommunications regarding IT security. With regards
to consequences, most often a breakdown in communications leads to serious
projects delays (81%) and cybersecurity incidents (62%). Among other negative
effects are a wasted budget (73%) and the loss of a valued employees (75%).
In addition, unclear communication with IT-security
employees also affects the emotional state of employees and leads to executives
questioning the skills and abilities of IT-security employees. 41% executives
admit that misunderstandings make them lose confidence in the business' safety,
and 52% reported their lack of confidence in the team makes them nervous,
ultimately affecting their work performance.
"Clear communication between a company's executives
and IT security management is a prerequisite for corporate business security,"said
Alexey Vovk, head of information security at Kaspersky. "The challenge is to
put oneself in the others' position and anticipate and prevent
serious misunderstandings. This means thatCISOs should know basic business
language to better explain the existing risks and need for safety measures. On
the other hand, business should also understand that information security is an
integral part of business and budgeting for it is an investment in protecting
company assets."
To make the communication between IT security and business
functions within a company more transparent, Kaspersky recommends the
following:
- Understanding
professionals from another sphere requires not only empathy, but also
additional knowledge. While IT security workers could get more information
about basic business terms and concepts in various
training courses, non-IT executives have an opportunity to walk
in a CISO's shoes to get insights on the most relevant IT
security challenges.
- Both IT and non-IT
managers should not lock themselves in a professional "information
bubble." Staying aware of the agenda in both the business and
cybersecurity worlds is another key to successful communication and mutual
understanding between them.
- Cybersecurity
specialists should use reliable and understandable arguments when
communicating their needs to the board and justifying their cybersecurity
budget. Use information about the threats and security measures most
relevant to your particular industry and company size to prove the
probability of risks and the protective measures needed. Resources such
as IT Security Calculator and reports
based on experts' observations can significantly ease this task.
- It is extremely
important to allocate cybersecurity investments in tools with proven
efficacy and ROI. This means tools that lower the level of false
positives, and reduce time of attack detection, the time spent per case
and other metrics are important to any IT security team.
The full report and more insights on communications issues
between C-level and IT security managers is available via the link.