Do IT experts and senior managers have a “failure to communicate”?
Earlier this year, the Ponemon Institute issued the research report, The Cost & Consequences of Security Complexity [registration required]. One of the report’s findings is that the growing complexity of the security technology world has resulted in “difficulty in communicating the organization’s security strategy and approach to deal with cyber threats to senior management.” Of the IT specialists Ponemon polled, 67% agreed that their companies’ approach to dealing with cyber threats “is too complex to explain to senior executives.”
This goes against the grain. Senior executives understand tax implications, although they are not accountants. Senior executives deal with complex legal matters on a daily basis, though they did not graduate law school.
So why is it, when senior executives are faced with cyber security issues, employees, service providers, and in-house IT personnel have such a hard time explaining the strategy being implemented to protect the crown jewels of the business? These include such essential factors as the personally identifiable information (PII) of their clients, employees, and vendors; payment card information of clients (PCI); and even protected health information (PHI) of employees.
This is a timely question because a New York development that could spark activity in other states underscores how important it is for senior management to “get” cyber security—and the insurance coverage that protects companies when cyber threats become incidents.