It's vital for the IT department to get executives on the company board to properly understand security threats if maximum possible security against cyber attacks is going to be achieved.
That was the consensus between experts during a Computing web seminar, Closing the IT security risk management gap: 3 Ways to connect IT & the Board. However, in order to do this, IT staff need to present information to the board in easy-to-understand language, rather than the technical speak which often dominates IT departments.
Further reading Warnings over mass Trojan attacks against online bank customers UK FTSE 350 firms not considering cyber risks – Government Cyber attacks – up close and personal
"Part of the difficulty in getting board awareness as IT professionals is we tend to be deep into risks, and when we try to communicate we don't use language that resonates with the board," said Mark Sparshott, EMEA director for security solutions provider Proofpoint.
He suggested one useful tactic in persuading executives to take cyber threats seriously could be to use examples of research, or case studies about similar organisations which have already experienced a breach.
"To grab some of the attention, it's useful to reference peers in your sector that have suffered a breach and make a case study of those, then reference research about volume of attacks," said Sparshott.
Computer security expert Graham Cluley agreed, suggesting that if the board is seen to be taking security seriously, then it will set a good example which will trickle down to even the most junior member of an organisation.
"It's important the board believes in securing the organisation because more junior staff will see them," he said.
"Making sure those staff behave within the rules and understand the benefits of doing so is something that's going to be trickled down through the organisation. It doesn't just have to be spoken, it has to be lived," Cluley continued.
He added that employees should be aware enough of risks that they're not hesitant about reporting a suspected security breach rather than ignoring suspicions they might have through fear of being held responsible.
"It's about identifying where risks exist and people feel comfortable reporting a security breach, everybody has to be effectively part of the security department. You want them to come forward rather than hide it under the carpet as there's nothing worse than a cover up," said Cluley.
Computing research revealed during the web seminar suggests that only 46 per cent of organisations – less than half – have board-sponsored data governance programmes, something which needs to change if security threats are ever going to be properly prevented.
