Cybersecurity: Why bosses are confident, and tech workers are scared

How well protected is your business, really? It depends who you ask.

Is your business cybersecure? It depends on who you ask Bosses are confident and tech workers are scared.

Panic stations or nothing to worry about? When asking how well prepared businesses are to tackle the threat from hackers the answer you get will vary wildly depending on who you talk to inside a firm.

At the top of business, there seems to be a lot of self-congratulatory box ticking, while elsewhere in the organisation there is a nagging sense that something very bad is about to happen.

Two recent pieces of research reflect the ongoing disconnect. The UK government's annual survey of cyber security at big businesses shows that awareness of cyber risk is growing at the top of business. Nearly three quarters of firms said their board sees the risk of cyber threats to be high or very high, in comparison to all risks that they face.

And nearly all FTSE 350 companies now have a cybersecurity strategy, even if only half of them will actually back up those fine words with cold, hard cash. Similarly, nearly all have a cybersecurity incident-response plan, even if only 57 percent actually test them on a regular basis.

And yet, a separate survey by security company LogRhythm of 1,500 IT professionals in big businesses, shows that while the board may feel it is in control, the tech workers themselves are deeply worried.

Only 15 percent feel confident in their organisation's cybersecurity capabilities; the same company did a similar survey last year in which 80 percent of tech professionals surveyed worried their confidential data may be vulnerable to attack.

So where does this disconnect come from? Perhaps the IT professionals tasked with protecting data and systems have a better understanding of the real risk. There really are plenty of groups out there to get you — from organised and disorganised crime to disgruntled insiders and state-backed espionage groups.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The security industry thrives on fear, uncertainty and doubt, of course. But it's also true that the threat surface — the volume of systems that security teams need to protect and that hackers want to attack — continues to grow.

Companies no longer need to simply protect the data and systems in their own PCs and servers. They have to protect data in cloud-computing systems, from smartphones to Internet of Things devices and even from industrial systems if they are connected up.

It's no surprise that one third of IT professionals in the LogRhythm survey said they were worried by their inability to detect the full range of threats, and complain about the difficulty in finding skilled staff for their teams and their limited budget to invest in cyber defences.

So how to bridge the gap between the boardroom and the security team? Putting a chief security information officer (CISO) in place might be one answer. There is some evidence that having a CISO who can brief the board on the reality of security across the business can improve how executives understand the cyber risks they face. 

Another way is to make it clear that security is a board issue and that means the buck really does stop there. Making execs responsible for security, just as they are responsible for sales or profit, is one very good way of concentrating their minds on the problem. 

While boards may say they are responsible, it's not clear that the tech staff believe that's the case: 19 percent of IT professionals in the LogRhythm survey said they are worried they will lose their job should their organisation suffer a data breach. Until the board is worried in the same way, they won't take security seriously enough.

READ MORE ON CYBERCRIME