Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.
The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis.
The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives and are more confident that data breaches can be easily avoided.
Ponemon found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements.
The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data.
While eight out of 10 respondents said they believe there is one person responsible for data protection in their organization, there was a sharp difference of opinion on just who that person was. More than half of the CEOs said that CIOs are responsible for protecting data at their companies; only 24% of other senior managers felt the same way.
And 85% of respondents said someone else would be held responsible for a data breach. "On the issue of accountability, we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.
Some of the differences in perception between CEOs and other top executives can probably be traced to the metrics they use to define information security goals and to measure success, Ponemon added.
While most CEOs look for their companies to create cost-effective, and even profitable information security policies, other top executives said the policies should focus strictly on threat mitigation and compliance-related matters, he said. "CEOs want bigger-picture metrics, but what they are getting is the compliance story," Ponemon said.
The study showed that there is a broad need for new metrics to measure the impact of information security investments on asset performance and reputation management, he said. But what top managers are getting are more conventional success metrics, he added.
The Ponemon survey was sponsored by security vendor Ounce Labs Inc.