Company bosses are been warned that they are underestimating the IT security risks faced by their own businesses, in stark contrast to other corporate executives.
So said a US survey of 213 CEOs, CIOs, COOs and other senior executives released by the Ponemon Institute. It found what appears to be a perception gap concerning information security issues between CEOs and other senior managers.
For instance, 48 per cent of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53 per cent of other C-level executives believe that their company's data is under attack on a daily or even hourly basis.
The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives, and are more confident that data breaches can be easily avoided.
The survey found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements.
The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data.
While eight out of 10 respondents believed there was one person responsible for data protection in their organisations, but there was a sharp difference of opinion on just who that person was. More than half of the CEO's said that CIOs are responsible for protecting data at their companies; only 24 percent of other senior managers felt the same way.
And 85 per cent of respondents said someone else would be held responsible for a data breach. "On the issue of accountability we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.
Some of the differences in perception between the CEO and other top executives can probably be traced to the metrics they use to define information security goals and to measure success, Ponemon added.
While most CEOs look for their companies to create cost-effective, and even profitable information security policies, other top executives said the policies should focus strictly on threat mitigation and compliance related matters, he said. "CEOs want bigger picture metrics, but what they are getting is the compliance story," Ponemon said.
The study showed that there is a broad need for new metrics to measure the impact of information security investments on asset performance and reputation management, he said. But what top managers are getting are more conventional success metrics, he added.
The Ponemon survey was sponsored by security vendor Ounce Labs.