Most CEOs clueless about cyberattacks – and their response to incidents proves it

Most CEOs clueless about cyberattacks – and their response to incidents proves it

Summary: Despite an onslaught of devastating high-profile cyberattacks, four in five CEOs aren't regularly informed about potential threats to their organizations and only 14 percent of top executives play an active role in the incident response process.


Organized cyberattacks continue to grow in both volume and complexity yet the vast majority of top executives at the companies and organizations targeted are still remarkably unaware of just how vulnerable their networks and data are to a multitude of different threats.

This lack of awareness, according to a new survey by security research firm Ponemon Institute, is directly correlated to how quickly – or not – companies respond to an attack and eventually sort out how it happened and who was responsible.

"Our research indicates that organizations are not communicating with business leaders about computer security threats," the report concluded. "Whether this is because they are afraid to admit the realities to the people that they work for, or because they don’t know how to articulate those realities in dollars and cents terms that are relevant to business decision makers, the consequences are the same."

For small and midsize businesses, the inability to effectively respond to or protect against cyberattacks is primarily the unfortunate consequence of limited IT budgets. For large enterprises and government agencies, it's often a combination of hubris, organizational dysfunction and indifference or ignorance among top executives that conspires to keep their organizations at risk time and time again.

Only 20 percent of the 674 IT and IT security professionals surveyed said they regularly communicate with upper management about potential security threats. Yet, 57 percent said they expect to experience a breach within the next year.

More troubling, especially for customers such as those affected by a wave of attacks against Target and other leading retailers, is the fact that it takes companies at least a month to investigate an attack, restore service and verify the resolution of the incident. Forty-seven percent of respondents admitted their companies either don't assess the readiness of their cybersecurity response teams or don't do so on a regular basis. Only 23 percent of organizations have a corporate communications plan in place in the event that a material breach needs to be disclosed to the public and 45 percent admitted that they don't share or receive threat intelligence with other organizations.

"Computer security needs to be a boardroom discussion, before the organization is in the headlines, and not after," Ponemon researchers added. "It's not only important that organizations track the incidents they are experiencing; it's also important to relate those incidents to the bottom line of the organization and convey that information to business leaders."

Topics: Security, IT Priorities, SMBs


Larry Barrett is a freelance journalist and blogger who has covered the information technology and business sectors for more than 15 years.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Computer Security

    Until a couple of CEO's are hauled off to prison I doubt this will change. The problem is good security costs money upfront and the actual or potential savings are impossible to truly quantify. So what happens it is cost that MBA try to avoid not realizing the backside damage will be much worse. Ask Target about their sales decline and how much they are having to reserve against suits and fines over the break-in. I suspect the cost of doing security correctly with software and hardware upgrades would have been much less and spread out over many years instead of a massive hit in one or two fiscal years.
    • CEO should get a free pass on this.

      It seem that the general opinion from the commenters so far is that the Top Executives get a free pass? In my experience, especially in midsize companies is that IT is just another cost center on the books and its all about cutting costs. CEOs ultimately approve the budgets. I can't count how many times over the years I have seen security related line items stricken from budgets. It always seems to be the easy low hanging fruit that gets used to help the budget. I have heard "Next year for sure" several times. Not to mention that they are the first to request deviations from a security policy if they or someone important is inconvenienced by it. Only the little people should have to change passwords regularly right? BYOD? Sure!. Even though there is no infrastructure to control its impact. It is IT's job to inform and recommend but in most cases we don't write the checks. I am pretty sure that IT laziness is not the reason that there are still 10's of thousands (100's?) of obsoleted Win XP still in the enterprise. All this adds to the security holes in the enterprise. Paying for this infrastructure is on the CEO's shoulders. Unless you are a large company with lots of folks with "C" titles, IT is usually not invited into the boardroom. We submit budgets just like every other department. Revenue generating departments to the front of the line.
  • My Assumption

    My personal assumption is when you are online you are a target for criminals. How valuable a target and how much effort the criminals will pay to directly attack me are the only variables. Since I am a relatively low value target I am likely to see mostly spam and various broad attacks not a targeted attack. However a major retail will face targeted attacks because they have massive amounts of customer information in their systems.
  • This isn't really a CEO's job, Larry...

    In most organizations (except for ones whose primary purpose is high-technology, such as Google, IBM, etc), the CEO has bigger fish to fry than worrying about IT infrastructure. That is the job of those organizations' CTO/CIO and related IT teams.

    The CEO is charged with the *OPERATIONAL* aspect of the core business itself - in most businesses (including Target and Nieman Marcus). The IT department is only one small part of that business and is guided by the strategic direction of the business (rather than the other way around). These kinds of details shouldn't be on the shoulders of the CEO or the CFO - they're busy driving the business itself.

    A security failure like the one that happened to Target is a failing of the IT department, not the chief executive office.
    • Agreed, most CEOs are clueless about a lot of things not just cyberattacks

      Really the CEO has the big picture strategy responsibilities and all the details are typically well below the CEO. Perhaps they should get better briefings before opening their mouths on subjects they know nothing about or just defer to the CIO a corporate communications spokesperson.
  • Horses for courses, Larry...

    Yep, and the Incident Response manager is clueless about this year's sales figures. Can you imagine how much fun it would be to have the CEO calling the shots during an advanced threat attack? Keep him/her briefed, sure, but lets let those with the subject matter expertise earn their pay...
    Rowan Williams
  • Article clearly places responsibility on IT organization

    Although the headline is somewhat ambiguous, the CEOs are in fact clueless, but it is because of the lack of communication upward from the IT organization.

    To me, the article makes it clear that the responsibility to inform upper management (and failure to do so) falls on the IT department.

    It's not just the IT leadership, either. IT subordinates often fail to disclose important vulnerabilities, probably because they feel it makes them unprepared. Typically, the failure is due to lack of resources - staff, budget, and tools. If properly informed, the CIO / CTO can stress the importance of budget allocation and the consequences of not doing so.

    Keeping everyone informed in the chain upward is the only way to ensure that these things don't happen, or at least demonstrate that you fulfilled your responsibility. That doesn't always help, but it's all that you can do, so we should do that much in the least.
    • Slight correction

      I meant to write, "IT subordinates often fail to disclose important vulnerabilities, probably because they feel it makes them APPEAR unprepared." In fact, it's quite the opposite. It demonstrates foresight and the know-how to identify (and hopefully propose solutions to) vulnerabilities not yet exploited.
  • Article "in error" clearly places responsibility on IT organization

    Great comments, my 2 cents worth:
    The buck stops with the CEO, no free pass! The title comes with responsibility for everything.

    It is very possible to quantify ROI on security and ops, you just have to ask and answer the right questions like; What is at risk, What is the value of your brand. customers and shareholders?

    IT guys, security is very much about IT, but its not, or should not be your job or responsibility especially for a breach. IT in fact is in the security threat plain. Security Operations for the companies that are doing a good job are independent and answer to legal, and are never in the news.

    Security is usually misplaced on the org chart to begin with and becomes counter intuitive to its mission and often presents internal conflicts of interest, and I agree, becomes low hanging fruit for the bean counters to chop up and unknowingly increase the breach risk factor.