There’s a disconnect between how managers and the C-suite talk about cyber risk

Ever feel like you and your boss just aren’t on the same page on a project? Don’t worry; your boss’s boss probably feels the same way about them—at least when it comes to gauging cybersecurity threats.

A new survey by IT risk management firm RiskOptics illustrates how IT personnel at varying levels of seniority aren’t necessarily seeing eye-to-eye when it comes to defining terms like risk—and may have very different views about the biggest problems facing their departments.

RiskOptics commissioned the poll of 261 respondents working in information security or governance, risk, and compliance (GRC) in partnership with Researchscape. It found that 59% of directors and 51% of managers named the sheer quantity of cyberattacks as their biggest day-to-day challenge—while 52% of those at the SVP level say that their biggest headache is that the C-suite doesn’t understand cyber and IT risks. Senior executives at the C-suite level in turn named their biggest challenges as insufficient funding (42%) and leadership turnover (40%).

Those SVP- and C-suite-level executives also appear to be more confident in their abilities than those further down the corporate ladder. Sixty-three percent of SVPs and 56% of C-suite respondents said they felt extremely confident in leadership’s approach to cyber/IT risk in strategic planning, while just 37% of managers and 44% of directors did. Despite all respondents to the survey working in the same fields, just 45% picked the same definition of risk, while only 47% agreed on the definition of threats.

Those findings show a disconnect that is likely rooted in how a role’s operational needs vary depending on its placement on the food chain, RiskOptics CEO Michael Maggio told IT Brew.

“I think it’s like any sort of job,” Maggio said. “There are the people down in the weeds doing the work, filling out a form, doing an audit, doing compliance…When you ask middle management and up, ‘What do you need?’ they’re saying, ‘Well, I need to solve a strategic problem.’”

“There’s a real confusion as to the terminology people use,” Maggio added. For example, he said, some managers might not understand that vulnerabilities aren’t “necessarily something you can plan for.”

The survey also showed that concern about understaffing is widespread throughout information security and GRC departments. Eighty percent of respondents said they were concerned their leaders were under-resourced, while 79% agreed that turnover was a significant problem and 87% said they believed pressure on leadership was growing.

While over eight in 10 directors said they communicated cyber/IT risk of specific business initiatives to company leadership, just three out of10 at the C-suite level said they communicated those risks to other senior corporate leaders.

“It’s clearly very strong pain points that we’re hearing from the survey and our customers,” Maggio told IT Brew. “Which is, ‘I’m understaffed, I’m not getting the money, help me show my management team why it’s important to invest in identifying the risk and making it a business advantage, versus making it just something that’s a cost center that they want to cut somehow.’”—TM