Skip links

Execs keep flinging money at us instead of understanding security, moan infosec pros

Fresh from years of complaining about underfunding and not having enough staff to deal with problems, infosec bods are now complaining that corporate execs merely firehose cash at them without getting their own hands dirty or engaging with the problem.

That’s one conclusion that could be drawn from a Trend Micro study published yesterday. Around half of businesses surveyed are spending more on “cyber attacks” than they used to, it said, while a similar number reckon their C-suites don’t know what “cyber risk management” means – possibly something about ensuring monitors are firmly bolted to desks.

“Low C-suite engagement combined with increased investment suggests a tendency to ‘throw money’ at the problem rather than develop an understanding of the cybersecurity challenges and invest appropriately,” intoned Trend Micro.

The firm’s survey of 5,000 “IT and business decision makers” from companies with more than 250 employees concluded that clueless captains of industry were still a problem, no matter how much money they threw at the IT security department.

“Most (77 per cent) want to hold more people in the organization responsible for managing and mitigating these risks, which would help to drive an enterprise-wide culture of ‘security by design’.” said Trend, adding that 38 per cent of respondents wanted the CEO’s neck to be on the block for security failures.

While the notion that cybersecurity or even the wider IT department is overflowing with cash might seem a bit fanciful in many organisations, there’s a serious point to be made about non-IT execs’ awareness of today’s risks.

A couple of years ago Bitdefender found that just over a fifth of C-suite people lumped with the cyber security portfolio thought it was one of the most challenging topics for their peers to take seriously. At the time the nation state cyber threat to ordinary domestic organisations seemed like overblown marketing FUD; events at SolarWinds later that same year proved otherwise.

And then there’s the indiscriminate, all-pervasive threat of a ransomware attack – especially if yours is a Windows shop.

Back in the mid-2010s wider IT industry thinking was that there needed to be a C-suite champion for security, rather than the CIO or CISO reporting upwards to actual executives. Now we’ve begun reaching that point perhaps what the world needs is for every C-suiter to think of security for their area of the business, not just whoever’s had it dumped in their lap. ®