C-level execs need to end disconnect to improve IT security

There is often a disconnect between a company's upper management and its IT department. Two recent surveys address this topic.

Because of the security implications, there has been significant tech-media given to the disconnect between a company's upper management and the IT department. But it's just been talk, not anything anyone could put their finger on. That may have changed.

It now seems possible to draw a few conclusions about the supposed disconnect thanks to two recent surveys that ask participants specific questions about the rift between upper management and the IT department. What makes the surveys even more relevant is that one survey selected its pool of participants from upper-management volunteers, while the other survey chose its pool from volunteers belonging to IT departments. This delineation should sharpen differences of opinions picked up by the surveys.

IT department's viewpoint

A recent Ponemon Institute study sponsored by Websense culminated in the paper Exposing the Cybersecurity Cracks: A Global Perspective. Ponemon surveyed close to 5,000 IT and IT security practitioners in 15 countries: Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Italy, Mexico, the Netherlands, Singapore, Sweden, United Kingdom and the United States.

Now, let's look at the Ponemon survey questions pertinent to this discussion. First, the participants were asked if they agree or strongly agree with the following statement: My company's leaders equate losing confidential data with a potential loss of revenue. Only 20 percent agreed or strongly agreed.

Next, Ponemon researchers asked the participants questions about the threat landscape, and how well non-IT executives and board members understand the company's cyber-security defenses.

Questions from the Ponemon survey
Image: Ponemon

The results for question 16 were unexpected. I asked Jeff Debrosse, Websense, director of security research, during a conference call discussing the report if the results surprised him. Debrosse explained that the threat landscape changes so fast today, especially with APT and Zero-Day exploits, that 53 percent of IT department members not fully aware of all the threats was understandable.

Questions 17 and 18 match up with what tech-media outlets are saying. Most participants feel strongly that upper management and board members are not well versed in the company's cyber-security defenses.

Upper-management's viewpoint

Next, let's look at what upper management thinks. Wakefield Research conducted the survey of individuals belonging to upper management on behalf of Avanade, a business-technology solution, managed-services provider, and a subsidiary of Accenture.

The Avanade report Global Survey: What's creating tension between IT and business leaders? published the results gathered from Wakefield Research surveying 1003 C-level executives, business-unit leaders, and IT-decision makers in 19 countries: Australia, Belgium, Brazil, Canada, Denmark, Finland, France, Germany, Italy, Malaysia, Netherlands, Norway, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom, and the United States.

The report does not mince words, starting with the executive summary: "New data shows a real tension between IT and the broader business as budgets and control move outside the traditional IT department."

Image: Avanade

Avanade came to this conclusion based on:

  • 90% of the participants have members of non-IT departments making technology decisions, including: infrastructure solutions, mobility solutions, and maintenance and support.
  • Almost 40% of the companies surveyed mentioned budgets allocated in 2014 for technology investments are now controlled by departments other than IT.
  • More than 70% of C-level executives and business-unit leaders believe they can make decisions about technology for their department better and faster without the involvement of IT staff.
  • Close to 70% of IT decision makers still feel IT departments are responsible for technology usage, but lack the control to manage this effectively.

Compare and conclude

It's time to draw a few conclusions. Avanade's report mentioned, in big bold letters:

"Avanade's survey showed that more than one-third of a company's total technology purchases are made by business people who do not report to the CIO. Why?"

That is an interesting question. Another Avanade quote:

"Thirty six percent of IT staff's time is spent managing and maintaining legacy systems. This legacy commitment has a consequence. Fewer than one in four executives say IT staff regularly suggests new technology solutions on their own."

Those two quotes suggest some of the disparity seen in the surveys. More to the point is when asked: IT-department members felt upper management did not understand what was needed to secure the company's digital assets. However, a whopping majority of upper management feel they are more qualified to make decisions about technology.

What do you think? Is there a disconnect? If there is, it's time to get rid of it. The only people truly benefiting from the disconnect are the bad guys.