Talking About Security Bores the Boss, Survey Shows

How significant and urgent are the various threats to a company’s infrastructure from security problems? It depends who you ask. A survey out today by Core Security, a company that specializes in software that predicts security problems, suggests there’s a rather wide gulf of concern between the chief information security officer and the CEO.

The survey checked the opinions of 100 CEOs and 100 CISOs, or other C-level execs with responsibility on security matters. Among the highlights: 36 percent of CEOs said they never hear from their CISO about the state of the organization’s security, and only 27 percent get reports on the subject on a regular basis.

The survey also found that while CEOs tended to see the biggest threat as coming from outside the company, CISOs worried more about internal threats from negligent employees.

Despite those worries, only 15 percent of the CEOs said they were “very concerned” about IT security. CEOs were apparently unified in their candor about not knowing enough on the subject: 65 percent said they didn’t have enough information on the topic to really understand how security problems might threaten the overall business.

Other highlights: A little more than a quarter of the CEOs conceded that their networks might be under attack without them ever knowing it, while more than 57 percent of the CISOs thought the same thing. About half of the CISOs have tried to attack their own networks to see how well they stood up.

Yet CEOs are the ones who seem to worry the most about the implications — for their careers — of suffering an attack: Three times as many CEOs worried about losing their jobs following an attack than did CISOs.