Top executives in organisations that fail to set IT security teams targets that correlate directly with overall business performance, increasingly face problems as a result, a study has revealed.
Out of a sample of more than 100 UK enterprise IT security decision-makers by privileged access management solutions vendor Thycotic, 61% agreed there are implications for the CEO if security teams are unable to meet security targets. Consequences range from receiving a hard time from shareholders (44%) or longer hours spent on the job (40%), to serious penalties including lost bonus payments (37%), and even a threat to their job security (35%).
Meeting performance targets set by the c-suite/board did not come out on top when IT security teams were asked to ‘describe what success looks like’. More people – 45% – rated success as being valued by the company ‘above performance targets set by the board’ (42%).
“The data breach at TalkTalk [four years ago] ushered in an era where CEOs can – and will – be held accountable for IT security failures that occur on their watch,” says Thycotic Chief Security Scientist & Advisory CISO, Joseph Carson. “Now, when cyber security teams do not meet their targets, it impacts the CEO with longer hours, shareholder pushback, job insecurity – and financial bonus reductions.”
Carson adds: “To minimise the risks, CEOs need to set IT security professionals proactive measures and appropriate budgets that demonstrate the positive contribution they make to overall business performance. An example would be to appoint an IT security professional with good communication skills in charge of cross-departmental co-operation. This has the dual benefit of putting IT security on a more proactive footing, and of increasing the chances of spotting/remediating digital risks early before they can escalate and cause trouble at board level.”