New Research Finds C-Suite ‘Infosec Averse’

As technology continues to become more essential for running businesses in nearly every field, it’s no surprise that C-level tech experts are playing a more important role

However, CIOs, CSOs, and CISOs don’t always work in perfect harmony with other C-level counterparts, and recent data from Bitdefender’s “Small Gains, Big Wins” shows that security-minded C-level executives have some significant concerns, particularly when it comes to other executives.

Bitdefender, a UK-based organization, surveyed C-level executives charged with keeping their information secure about their overall practices and views of their companies. When asked which part of their organizations’ demographics were more infosec-averse, 41 percent laid blame at their fellow C-suite counterparts. In fact, management as a whole, from C-level executives down to junior department heads, were cited as the most likely to flaunt security risks and leave data vulnerable. Day-to-day knowledge workers, who are often charged with being most likely to cause security problems, were cited by only 25 percent of respondents.

Security C-suiters demonstrated a varied but sophisticated view of the risks posed by inefficient security. When asked what was their greatest concern regarding security, 26 percent cited the possibility of fines or other sanctions. In contrast, 42 percent of infosec executives instead cited a potential loss of stakeholder and customer trust as the most concerning potential repercussion. In third place was a loss of employee trust, noted by 16 percent of respondents. This number varied by age, with older infosec executives being more likely to cite stakeholder and customer trust as a greater concern, while youngers executives were more concerned about fines.

A Stressful Position

Infosec executives are often actively concerned about the effects of poor security, as 52 percent of those surveyed believe that office morale was being negatively affected by a recent security breach. Perhaps even more concerning, 58 percent responded that they had lost sleep worrying about potential cyberattacks, a figure that unveils the kind of stress these security C-level executives feel on an ongoing basis. Some expressed sentiments that show a lack of clarity on the job; 20 percent of those who responded can’t positively say whether their end-point security solutions are up to date.

Bitdefender asked about how important speediness was in various security areas, and sandboxing, which came in last place, was still cited by 68 percent of those surveyed. At the top was endpoint security at 76 percent, followed closely at 74 percent by both endpoint detection and response and anti-exploit and memory protection. Application control, patch management, and automated behavioral analysis were cited by similar numbers: 73 percent, 72 percent, and 69 percent, respectively. The main takeaway, however, was clear: Speedy responses are essential for mitigating breaches and minimizing harm.

Fortunately, infosec executives seem more optimistic about their ability to become aware of new large-scale public threats in a prompt manner. In total, 57 percent of those who responded believe their business would become aware of potential threats within 24 hours, while a 32 percent believe they’d become aware within 25 to 48 hours. A further eight percent believe they’d be aware of such threats between three days and one week, while only three percent believe they’d take between two and four weeks.

Speedy Responses to Large Threats?

Becoming aware of threats is critical, but launching a response is key as well. Overall, 51 percent of businesses, according to their infosec executives, believe they could patch corporate devices within 24 hours, and a healthy 34 percent believe they’d have everything patched between 25 and 48 hours. A further 13 percent could deploy patches between three days and a week, while two percent believe patches would be deployed between two and four weeks. Unfortunately, as Bitdefender points out, famous malware variants in the past have been able to spread within a few hours, and even some of the most optimistic patch roll-outs may not be sufficient.

Respondents were split when asked what was the best way to mitigate threats. Human cybersecurity researchers came out on top, but they were only chosen by 40 percent of C-level tech executives. Following closely behind, at 36 percent, was antimalware technology. The remaining 24 percent pointed to a relatively newer technology that holds promise: Machine learning. When it comes to having the best odds at stopping a threat, executives were somewhat less divided. Nineteen percent believe having the right strategy is most important, and 31 percent believe it’s most important to have the right tools. The remaining 50 percent pointed to a non-technical solutions: Having the right team in place.

C-level executives always have differing goals. With the rise of cyberattacks, and the sheer volume of data posted online, it’s becoming clear that CIOs, CSOs, and CISOs will continue to play a growing role. Although there’s no simple solution to delegating roles and making decisions, non-technical C-level executives should note the concerns their more technical counterparts have about overall data security.