Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:40 PM
Becca Lipman
Becca Lipman
Connect Directly

'Enlightened' Non-IT Execs More Likely To Run Secure Organization

Do senior executives understand their role in data security? On the whole, unsurprisingly, no.

A recent NTT Com Security survey of 800 senior business decision makers outside the IT department across industries (registration required) found that the education, actions, and opinions of senior executives has a significant impact on the organization's data security.

Executives were divided into four categories based on their understanding of security risk and commitment to protecting data. Respondents deemed "enlightened" on these topics were more likely to work in organizations that have strong data security policies, higher IT spend, and a more mature attitude about the value of their data. A minority of respondents fell into this category. Performance worsened in the organizations where executives fell into the "informed," "passive" or, worse, "complacent" categories.

Chris Camejo, director of assessment services at NTT Com Security and a leader in threat intelligence, told us the results of the survey are in line with his experience in the field. "There's probably the majority that know a breach is going to happen, and they want to do what they can to improve their defenses, and the remainder are just kidding themselves, because they're probably going to get breached, too."

According to the survey, 37% of all respondents said all the organization's consumer customer data is completely secure. "That's what's interesting to me," Camejo said. "So many people out there are saying, 'Yeah, yeah, yeah, we're secure. Nobody will steal our data,' when in reality that number is a lot closer to 100%."

He is part of an offensive security team that does system penetration testing on networks. There are two reactions he gets when he presents executives with a report of all the ways his team has broken past firewalls. "The more enlightened will say, 'That's along the lines of what they expected.' They know their security isn't perfect and want to do what they can to patch the holes. The others will argue with every finding, saying, 'No, that's not really possible. That's just theoretical.'"

Sometimes, Camejo's team is bought in by the IT guys to do the penetration testing, because they know there are issues, and they need something from a third party to drop on an executive's desk and say, "Look, we need budget and more attention on this."

Other times -- and more reflective of an "enlightened" and "informed" leadership -- the IT team tells executives all is fine, and there's nothing to worry about. "Executives come to us to test the systems and verify IT's claims. And woe to the IT guys if we compromise their network in a few hours after telling the executives everything is great." And then, of course, there is a third category, where everyone is on the same page, "everyone knows nothing is perfect and want a better handle on what they should fix first. It's not always an adversarial relationship."

Perhaps the most important disconnect between today's executives and their understanding of data security is understanding the risk to value. The report concluded that risk assessments, where decision makers look at what they are trying to protect and from whom, along with the financial implications of a breach, are still not happening enough. They should be the driver behind security decisions and where to direct budget and focus. Unenlightened respondents will be more subjective if they see the true cost of a breach.

"When you look at things like the Target and Home Deopt breach, how many people have walked out the door since that happened?" Camejo said. "If they aren't being proactive about hiring people with a better handle on information security, the problem isn't going to solve itself quickly." It will be addressed "fairly painfully."

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters