CEOs worldwide might want to sit down with their information and security officers to discuss their differing perceptions of risk. According to a recent global information security survey conducted by CIO magazine, CSO magazine, and PricewaterhouseCoopers, CEOs, CIOs (chief information officers), and CISOs (chief information security officers) or CSOs (chief security officers) differ in their attitudes about business security matters. The survey concluded that many CEOs are far more confident about their companies’ security than their information technology (IT) and security leaders are.

Executive views on security attacks

Typically lacking in-depth technical knowledge with regard to IT, CEOs naturally have different perspectives on information security from those of the executive team members who manage these functions. Even so, CEOs and CIOs are on the same page concerning the number one priority for company information security efforts: maintaining business continuity and alleviating risk. CSOs, however, place greater emphasis on regulatory compliance.

Perhaps the most interesting finding concerns a change in perception with regard to the source of security threats—an area that the survey has tracked for five years. Today, CIOs and CSOs say former and current employees are more likely sources of security attacks than outsiders are. And they report that email and abused user accounts are the most common methods of employee attacks. This change, however, does not suggest an increase in corporate crime over the past few years. Rather, it points to possible cracks that have developed in information security infrastructure, and it indicates a greater awareness of the changing nature of security attacks.
Despite security and technology executives’ growing awareness of the true nature of security threats, an overwhelming number of CEOs still say hackers—not employees—are the culprits who should be targeted. However, CEOs believe more so than their security counterparts that their organizations are secure and have experienced few attacks.

So, how can these differences be reconciled? The survey data leads to what is perhaps a counterintuitive conclusion. While information security strategies need to include technical approaches, such technical approaches may not lead to the whole solution. More extensive or wider information sharing between an organization’s top executives could turn out to be equally if not more important.