More than half of top-tier managers in India (80%) admit that a miscommunication with the IT department or IT security team has resulted in at least one cybersecurity incident in their organizations. In terms of personal attitudes, the majority of non-IT executives cited a diminished sense of cooperation between different teams (48%) and said it situation makes them question their colleagues’ skills and abilities when communication with their IT-security employees was unclear (43%).
The recent Forrester analytics survey says that companies spend an average of 37 days and of $2.4 million to detect and recover from a cybersecurity breach. To determine how much mutual understanding between executives and information security teams affects company’s cyber resilience, Kaspersky conducted a global survey of more than 1,300 business leaders.
According to the results of the study, 100% of non-IT respondents experienced miscommunications regarding IT security. With regards to consequences, most often a breakdown in communications leads to serious projects delays (81%) and cybersecurity incidents (80%). Almost one-third of respondents (46% and 45% respectively) even said that they had even encountered these issues more than once. Among other negative effects are a wasted budget, the loss of a valued employee and deteriorating relationships between teams –situations that occurred to 74% of respondents.
In addition to worsening business indicators, unclear communication with IT-security employees also affects the emotional state of the team and makes executives question IT-security employees’ skills and abilities. Also, 48% executives admit that misunderstandings make them lose confidence in the business’ safety and 37% of them find this situation makes them nervous, which affects their work performance.
“Clear communication between a company’s executives and IT security management is a prerequisite for corporate business security”. – comments Alexey Vovk, Head of Information Security at Kaspersky. ”The challenge here is to put oneself in the others’ position, to anticipate and prevent serious misunderstandings. This means that, on the one hand, CISO should know basic business language to better explain the existing risks and need for safety measures. On the other hand, business should also understand that information security in the 21st century is an integral part of business and budgeting for it is an investment in protecting company assets”.
Dipesh Kaura, GM, South Asia, Kaspersky said” The heightened threat of cyberattacks has changed this dynamic, with executives and IT security departments needing to work closely together to minimize damage and disruption. We provide employees with efficient operation security tools for communication security and encryption, along with best practices to handle internal and external communications while an organization is under attack. Our data-driven product offerings include training sessions and tailored workshops for cybersecurity administrators and corporate communications teams. Kaspersky’s Global Research and Analysis Team (GReAT) conducts its threat investigation to ensure the IT security teams work alongside the company’s executives in their efforts to develop effective internal and external messaging. We recommend that Cybersecurity specialists use reliable and coherent ideas when articulating their needs to the board and justifying their cybersecurity budget.”
To make the communication between IT security and business functions within the Indian company more transparent, Kaspersky recommends the following:
- Understanding professionals from another sphere requires not only empathy, but also additional knowledge. While IT security workers could get more information about basic business terms and concepts in various training courses, non-IT executives have an opportunity to walk in a CISO’s shoes to get insights on the most relevant IT security challenges.
- Both IT and non-IT managers should not lock themselves in a professional “information bubble”. Staying aware of the agenda in both the business and cybersecurity worlds is another key to successful communication and mutual understanding between them.
- Cybersecurity specialists should use reliable and understandable arguments when communicating their needs to the board and justifying their cybersecurity budget. Use information about the threats and security measures most relevant to your particular industry and company size to prove the probability of risks and the protective measures needed. Resources such as IT Security Calculator and reports based on experts’ observations can significantly ease this task.
- Today when cyber threats are becoming more and more relevant and companies are forced to increase their information security budgets, it’s extremely important to allocate cybersecurity investments in tools with proven efficacy and ROI. This means tools that lower the level of false positives, and reduce time of attack detection, the time spent per case and other metrics are important to any IT security team.