Mind the Gap: Closing the Yawning Chasm Between Executive Thoughts and Deeds
Table Of Contents:
Humans don’t always say what they mean. And even if they do, their actions don’t always tally with what they say. This is particularly a problem for senior executives in the context of cybersecurity policy. As new research reveals, there is a “conduct gap” at the top of many organisations, which threatens to undermine security-by-design culture and expose the company to excessive cyber risk.
Organisations need to build a culture which will not tolerate “executive exceptionalism”. But that will take a change in behaviour from the C-suite and potentially also IT security leadership.
How Bad Is It?
The Ivanti report was compiled from interviews with over 6500 executive leaders, cybersecurity professionals and office workers in global organisations. It reveals a striking disparity between what business leaders say and what they do. On the one hand, most say that:
• They are at least moderately supportive of, or have invested in, corporate cybersecurity (96%)
• They provide mandatory security training (78%)
• They are prepared to recognise and report threats like malware and phishing (88%)
However, on the other hand, many respondents engage in excessively risky behaviour, such as:
• Requesting to circumvent one or more security measures in the past year (49%)
• Using easy-to-remember passwords (77%)
• Clicking on phishing links (35%)
• Using default passwords for work applications (24%)
Some of these findings are even more stark when lined up against the behaviour of regular employees. For example, just 14% say they use default passwords. Execs are also three times more likely to share work devices with unauthorised users, the report claims.
Senior leaders also appear to have a troubling relationship with cybersecurity. When they come across security issues impacting them personally, they’re:
• Twice as likely than regular workers to say their past interactions with security were “awkward”
• Four times more likely to use external, unapproved tech support
• 33% more likely to “not feel safe” reporting security mistakes like clicking on a phishing link
“There can be a disconnect or communications gap between company leadership and IT security. This is because they have differing priorities, and so CXOs aren’t likely to prioritise and understand security in the same way as IT security teams,” Ivanti EVP, Helen Masters, tells ISMS.online.
Why Are CXOs Behaving So Badly?
There are several theories as to why this conduct gap has grown so wide in recent years. Executives are usually under extreme time pressures, which might leave them more prone to making security mistakes, seeking workarounds and bypassing official channels. A sense of exceptionalism may further inflame this.
“Ultimately, in a bid for productivity, CXOs are underestimating the impact of their actions and how shortcuts contribute to security vulnerabilities,” Masters argues.
Security bosses may also be partly to blame due to a combination of burnout, “just-this-once-ism” and a weak security culture which means they feel uncomfortable pushing back, the report claims.
What Is The Impact?
Whatever the reasons, the impact of poor executive security practices can be significant. Threat actors know execs often practice poor cyber hygiene. They also know that the C-suite has access to highly sensitive and monetisable information, including trade secrets and confidential details on corporate strategy. Why bother targeting employees lower down the food chain and spend time and effort elevating privileges if you can get everything from a single phishing attack?
Business email compromise is another critical threat often aimed at the C-suite. Over recent years, senior executives have been tricked time and again into green-lighting large money transfers to threat actors posing as partners and bosses.
Building Better Security From The Top Down
Closing the conduct gap won’t be easy – nothing that requires changes to corporate culture ever is. But it is achievable when built on solid foundations. This could mean deploying an information security management system (ISMS). This will provide the policies, procedures and other controls around people, processes and technology to keep information assets secure. It includes security awareness and training, which could be adapted for executives.
A key aspect of this is developing a culture where executives don’t feel like they can bend the rules to fit their own requirements. That will, in part, require security leaders to build trust with those executives based on support, education and advice rather than condemnation, punishment and shaming.
“Collaboration with IT and security teams is key, along with fostering a culture where security is not viewed as an obstacle. This approach will help organisations achieve ISO 27001 or SOC2 compliance more effectively,” argues Masters.
IT leaders can help to drive this cultural change by showing they’re willing to listen to their end users.
“One approach involves reducing the common sources of frustration often linked to robust cybersecurity measures, like excessive and frequent password requests,” Masters continues.
“Through risk-based intelligence, organisations can concentrate on the most significant threats, while automated remediation swiftly resolves issues before they affect user productivity. This approach ensures that security measures do not cause unnecessary disruptions, which could otherwise prompt executives and all employees to resort to unsafe practises.”
The report has a handy checklist to help IT and security leaders kick-start their efforts:
• Conduct an internal audit of security/executive interactions to understand the scale of the conduct gap
• Fix the easiest risks first, perhaps updating and documenting access policies and acceptable use policies, as well as deploying controls that run silently in the background. The key is to avoid direct conflict with leadership where possible
• Consider gamified security training sessions and tabletop exercises using real-world case studies, so executives can understand the impact of poor cyber hygiene
• Implement a “white glove” security program for execs designed to build trust and lower barriers to reporting security issues
Time-poor executives will always make mistakes. But with a keener focus on awareness raising, coupled with less intrusive security, there’s plenty organisations can do to minimise the potential for disruption.
