C-level, IT managers view cyber security differently: BAE Systems
By Edwin Yapp February 24, 2017
- Board, senior management need to strategically collaborate more closely with IT
- A top-down push needed to address issue as volume and sophistication increases
THERE seems to be a disconnect between how C-suite and IT executives perceive the complex landscape of cyber security in Malaysia, according to a new study by BAE Systems plc.
Its latest findings entitled BAE Cyber Defence Monitor, BAE Systems’ cybersecurity division – known as BAE Systems’ Applied Intelligence division – revealed that while these two groups agree on many things, they often do so from very different perspectives, a trends that suggests a lack of clear communication and agreed basic information shared between business and IT leaders.
The study concluded that C-suite executives were more worried about the theft of sensitive information and customer’s personal data while IT decision makers were concerned with a broad set of potential losses, many of which reflected a more mature understanding of the consequences of a successful attack.
It also suggested that the two groups differed in their assessment of the cost of an attack. C-suite executives estimated the costs of attacks to be an average of US$3.9 million, while IT decision makers tagged that sum to be an average of US$17.8 million, a difference of US$13.9 million.
Culled from a survey among 221 C-suite executives of Fortune 500 companies via telephone and 984 IT security decision makers via an online poll of mid-market companies of at least 50 people, the poll was conducted between October and November last year.
The countries surveyed included Malaysia and Singapore in Asia; United Kingdom and Germany in Europe; Australia; United Arab Emirates; and the United States and Canada.
Asked as to why these discrepancies were so acute between the two groups, BAE Systems Applied Intelligence’s cyber security expert Goh Su Gim (pic), said the perception-based survey didn’t indicate exactly as to why this was so.
However he noted that based on his experience, IT executives tend to be more factual and are likely closer to the issues – hence the comments returned – compared with their business counterparts. IT leaders could also be more conservative in their estimates of the cost of attacks to the organisation, Goh argued.
"IT guys are more factual and they tend to put the onus on top level and push the security agenda – this could be one of the reasons as to why they gave their views the way they did in this survey,” said Goh.
Quizzed as to what must be done to close this gap, Goh said conversations [around cyber security] need to happen between board members, senior management and IT leaders more.
“IT needs to talk to Board and C-suite more,” he suggested. “IT folks are more analytical and factual and C-suite may be more concerned about dollars and cents.
“But the security agenda has to come from the top because they are the ones who dictate the budgets and how they’re spent,” he explained, adding that they are also the ones that who should be creating security awareness for the rest of the staff.
The BAE commissioned study also identified another worrying trend between business and IT leaders. According to the survey, the responsibility for security breaches is unclear, with C-suite and IT decision makers (ITDM) disagreeing as to who should be responsible and accountable for successful breaches.
C-suite leaders believe that 35% of the responsibility lies with ITDMs, 30% on all staff, the leader of the organisation (5%), middle managers (5%), board members (10%), and senior management (15%).
Meanwhile ITDMs believe that only 28% of the responsibility lie with themselves while the leader of the organisation (20%), the board (19%), senior management (16%), middle managers (9%) and all staff (7%).
BAE System’s Goh noted that C-suite and ITDMs have different priorities and this may account for why there is a misalignment in their perception of who is actually responsible.
Goh added that this disconnect could expose weaknesses so businesses need to address any intelligence gaps, recognising that all employees have the responsibility when it comes to cyber security.
“Thus, a strong strategy is preferred over ad-hoc security spending, which is key to addressing this,” he argued.
The BAE commissioned study identified some other significant trends that business and IT leaders must both take note off. They are:
- Malaysian IT decision-makers are most worried their company will be attacked in the next twelve months, with 50% of C-suite and 80% of ITDMs polled saying so. This is in line with how Singaporean C-suite (48%) and ITDMs (77%) perceive the threats;
- Nine out of 10 C-suite respondents in Malaysia expect the frequency to increase and the severity of attacks to worsen, while about about eight in 10 ITDMs say the same about the frequency and severity of attacks;
- In Malaysia, both business and IT leaders are ‘fairly confident’ they can prevent attacks; however, 30% of C-Suites were ‘not very confident’ of doing so – the highest globally;
- The top three expected reasons for a successful breach in Malaysia are human error on the part of employees; attackers breaching networks from the outside; insufficient investment in parts of IT security of the network;
- In their own words, both business and IT leaders were concerned about a range of security trends, some of the larger ones include ransomware, loss of data, the Internet of Things (IoT), data protection, fraud, and phishing.
BAE Systems’ Goh reminded both business and IT leaders to continue to be vigilant as the sophistication and volume of attacks will continue to rise and increase.
“A forward looking strategic approach to cyber defence is important to stay ahead,” he explained. “As the threats evolve, it isn’t just about tracking down the threats but also about taking a proactive approach and working to understand new, unknown cyber threats.”