CEOs Perceive Security Needs Differently, Study FindsBy Ericka Chickowski | Posted 2009-07-16 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The survey of more than 200 C-level executives gives VARs a better platform of knowledge to position themselves to achieve more face-time with CEOs.
A new piece of research published by the Ponemon Institute on behalf of Ounce Labs found that there is a perception gap between the security expectations and priorities of CEOs and other C-level executives, including the CIO.
Announced this week, "The Business Case for Data Protection" examines the results of a survey conducted by Ponemon Institute among 213 C-level executives. The pool included approximately 14 percent CEOs, whose results were specifically examined compared to the rest of the respondents’.
According to Ponemon Institute founder, Larry Ponemon, the results showed an interesting dichotomy. Though the overwhelming majority of CEOs were eager tosecure their organizations, they seemed to still underestimate the risks at hand.
CEOs ranked security priorities for all categories within the survey as more important than other C-level executives ranked those same priorities. At the same time, although 82 percent of respondents reported their organizations had suffered a breach and more than half said attacks occur on a daily or hourly basis, approximately 48 percent of CEOs said that they think their organizations are rarely attacked.
"CEOs are enthusiastic about security and data protection; probably more enthusiastic about it than other C-level executives," Ponemon says. "On the flip side, CEOs appear to be less likely to believe their organizations are at risk."
The study also found a disparity in expectation of who is ultimately accountable for security. More than half of CEOs think the buck stops at the CIO’s desk, but only about 24 percent of other C-level executives hold the CIO ultimately responsible for security. Another difference found between CEOs and other C-level executives was that ultimately the case for security at the top of the organization is mostly about garnering a trusted reputation and protecting the brand.
"The moral of the story is that we were wrong in believing that CEOs don’t care. And from an internal campaign perspective, it’s nice to start out by saying, 'Hey, my CEO, you should care because others seem to care pretty deeply about this,’" Ponemon says. "We also found if you’re presenting (the case) around reputation and a brand protection you’re more likely to win an audience with the CEO than if you’re talking about compliance and the prevention of data breach."
The results of Ponemon’s research emphasize the difference in priorities for security across the C-suite, says Jack Danahy, founder and CTO for Ounce Labs.
"When I talk to CEOs and try to understand from them what their thoughts are on security, it really is, 'Am I doing enough to protect my organization?’ Which is very different than the question of 'Am I secure?’" Danahy says.
Danahy believes that the survey results should give the channel a better understanding of the motivations of its customers’ internal security champions.
"It’s (an opportunity) for them to learn more about the relationships’ internal champions and help to make them more successful, which is what we see as really a goal from a lot of our buyers and a lot of our integrated partners," he says. "It’s that expansion of security inside these firms not just because it’s good for the businesses, but because they recognize that their internal champions will succeed if they’re doing the most rigorous job that they can, cost effectively, with all the tools that are in the bag. And I think the surveys helps to inform that behavior."
Ponemon says that the survey also gives VARs a better platform of knowledge to position themselves so they can achieve more face-time with CEOs.
"If you’re a VAR or you’re an integrator, you know that even the best and the brightest people among you usually have a hard time getting beyond the technical folks. Basically, getting an audience with the CEO is usually an impossibility," Ponemon says. "It could be that when they think about what they do, they’re thinking about it in a tactical way only, rather than as something that’s strategic to a company. And I think some of the findings of their study suggest that security may be something that becomes more strategic. I think something like that could be very helpful for positioning a VAR and integrator and elevating what they do in the eyes of C-level executives."