What to do about insecurity over security

With 47% of executives saying their cyber security doesn’t include advanced malware analysis tools, it should come as no surprise that a recent study by ThreatTrack Security shows more than two thirds of them lack confidence in their security.

While executives in the ThreatTrack Security study are lacking confidence in security, the Global State of Information Security survey, which is specifically focused on information security shows an increase in c-suite confidence. Are you confused yet?

The interesting thing is that execs in both studies, confident or nervous, aren’t actually doing enough to ensure organizational security. The confidence is unfounded, and the nervousness isn’t producing more secure practices. They’re all in the same boat because the threats are outpacing the ability of organizations to keep up.

Communication

One explanation for sleepless nights worrying about security or overconfidence could lie in communication from the security team, those tasked with actually carrying out procedures and using the tools. While they may be great at protecting the company from security threats, they may not be as great at speaking in terms CEOs can understand, or may be using terms like “risk” in a completely different way.

Creating open lines of communication between executives and the security team could go a long way in under developed programs getting c-level support they need to amp up security. The security team needs to talk in terms that their executives understand, and executives need to be asking the right questions.

Fixing vs. avoiding

With the increasing number of threats out there, it may be easier to operate under the assumption you have already been breached. Putting up more defenses is great, but there should also be a plan for how to detect and contain damage if a breach has happened. You may not be able to stop a cyber-attack, but being prepared to deal with it is essential.

The money problem

While a large security budget is a great way to get the resources an organization needs to put up a good defense against potential hackers, money alone won’t keep you secure. Proper procedures and having the right staff in place are just as important as a healthy budget. Organizations need to take time to assess risks and manage them in a way that makes sense based on their unique needs. Risk management should be regularly reviewed and adjusted as necessary. Throwing money at a flawed system won’t protect you.

There is no golden bullet against cyber-crime. Your company is vulnerable. How nervous or confident you are about security should be based on open and honest communication and a full understanding of risks and ability to mitigate those risks. If you’re nervous, act on that; get informed, make a plan. If you’re confident, make sure it’s not out of ignorance.