C-suite execs & IT teams blame each other over cyber breaches, report claims

There is a severe ‘disconnect’ between C-suite executives as well as IT decision makers when it comes to managing cyber attacks. Namely, both blame each other in the event of a cyber breach.

This is according to a new report from defence & engineering firm BAE Systems in which 984 IT decision makers as well as 221 C-suite executives were polled.

The report found that a third 35 percent of C-suite executives like CEOs, CIOs, CFOs & so on believe that IT decision makers are responsible for cyber breaches while on the other hand, about 50 percent of IT managers would put the blame on their senior management.

Even estimates of cost of a successful breach differ from one another. C-suite executives underestimated the total potential cost of a cyber breach. IT decision makers believed that a successful cyber breach could cost as much as $19.2 million while the C-suite executives estimated the cost as $11.6 million.

“Interestingly enough, the C-Level execs thought it was a lower cost than what the IT decision makers estimated,” Dr Adrian Nish, head of threat intelligence at BAE Systems said. “Given that C-suites tend to come from larger organisations, it’s quite an anomalous finding.”

“The decision-makers might be closer to the issue – they might recognise the variety of costs that come in from the fines, and having to hire experts to do investigations and clean-up, to them having to go and improve defences,” he added.

Similarly, BAE noted another disparity between the views of C-suite executives as well as those of IT decision makers. C-suite executives believe that 10 percent of their company’s IT budget is spent on IT security, while IT managers believe that is 15 percent. Also, the C-suite executives believe that hobby hackers are the biggest threat for compromising their organisation’s network – rather than professional, nine-to-five hackers or rogue insiders.

According to BAE Systems, this gap between the top brass as well as IT decision makers will have a real-world negative impact when cyber breaches hit.

“There’s a divide between the decision makers and the C-suite in terms of the perception of different threats, who is responsible or accountable,” Dr Adrian Nish said. “This is certainly a weakness – this gap is something that will lead to weaker defence, and organisations not being able to prepare for attacks.

“Clearly, more work needs to be done around strategy and where spend is going – and more information to bridge that gap.”

Now the question comes how can organisations address this? According to Dr Adrian Nish, it’s accountability that is a “key point to reflect on”.

“You need to find who in the organisation is actually accountable for a cyber breach,” he told Computerworld UK. “Once that understanding is there and it’s their responsibility, they can start thinking about putting reporting lines in place, putting in place the relevant information or intelligence they need to understand the nature of the threat, and ultimately what resources they need to throw at the problem.”

“I would say the more information people have and the better quality information people have, both about the threat landscape and what the issues are in terms of strategic and tactical specifics in their organisation, the better informed they are to make the decision. Getting that quality information is part of the challenge.”