Execs and IT Have Different Levels of Concern for Cybersecurity

Aug. 13, 2018
Survey finds executives' security concern 55% lower than IT and security professionals.

ERP Maestro, provider of automated and cloud-based controls for access, security and GRC, announced today the availability of a new survey summary showing a substantial gap between executives and all other groups surveyed in their perception of security risks, with the most disparity between executives and those directly responsible for IT and security.

 

The extreme difference between the two groups may be detrimental to developing sound cybersecurity strategies and acquiring and implementing better solutions to safeguard a company and protect its assets.

 

In a May survey of executives, IT, security, audit and finance professionals conducted by Americas' SAP Users' Group (ASUG), only 25 percent of executives, including C-level employees such as CIOs and CTOs, stated that they were very or extremely concerned about security. In contrast, 80 percent of IT and security respondents reported their concern level in the very and extremely concerned range.

 

"This doesn't mean that executives aren't concerned about security, especially as it relates to internal security for SAP systems," said ERP Maestro's CEO Jody Paterson. "It does, however, indicate that they may be less aware of true risks and vulnerabilities because they don't have full visibility or are removed from the direct day-to-day security tasks."

 

"One of our biggest challenges, and also an objective in the work we do with SAP customers, is bridging the divide between executives and IT/security teams so that they are all on the same page when it comes to understanding their level of risk," said Britta Simms, IBM's Lead for Global Center of Competency SAP Security. "That joint knowledge is crucial in forming comprehensive strategies and getting buy-in across the organization for the best prevention plans and tools. It's also a competitive advantage."

 

Survey insights included in the report state that many companies may overestimate their security. This could be true especially among executives if they don't have a full understanding of the scope and number of risks and how they can impact the potential for a breach.

 

"Because companies may still manage access and reviews manually, which is a very tedious, time-consuming and error-prone approach, risks may not be uncovered, mitigated or reported correctly," said Paterson, "and accurate information may not reach the executive level, giving this group a false sense of confidence in their security. Knowing the problem is the first step to fixing it."

 

Paterson further surmised that while they may ultimately get the blame for a cyberattack, executives may also be more focused on strategic initiatives that drive the bottom line, whereas, according to the survey summary, "dedicated security professionals understand the nuances of security and see it as a significant challenge. They likely have a more accurate assessment of their environment."

 

One problem that could occur due to this disconnect is that executive-level employees, who generally control budgets and are top decision makers, may not comprehend the actual degree of risk and may be more hesitant to invest in better strategies or tools to prevent threats, putting their businesses at even more risk.

 

According to the survey, a full 33 percent of respondents don't have a defined cybersecurity strategy, which supports the more intense concern among IT and security respondents. And there appears to be a link between having a strategy and automation. Those with strategies were more likely to use automated solutions to manage access and security for their systems, which as the survey concluded, does help reduce governance, risk and compliance challenges.

 

"Companies can improve their factual knowledge of risks with tools that improve visibility, monitoring and control of access automatically," said Paterson. "They can also close the gap between executives and IT with better reporting, communication and joint participation in designing security strategies."

 

The full survey summary is available for download.