CEOs Underestimate Security Risks, Survey Finds

Chief Executive Officers are likely to hold different views on corporate data security issues than other C-level executives, according to the results of a Ponemon Institute survey.

By Jaikumar Vijayan
Wed, July 15, 2009

Computerworld — Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.

Slideshow: 11 Security Companies to Watch

The Ponemon survey ( download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap concerning information security issues between CEOs and other senior managers. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis.

The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives, and are more confident that data breaches can be easily avoided.

The survey found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements.

The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data.

While eight out of 10 respondents believed there was one person responsible for data protection in their organizations, but there was a sharp difference of opinion on just who that person was. More than half of the CEO's said that CIOs are responsible for protecting data at their companies; only 24% of other senior managers felt the same way.

And 85% of respondents said someone else would be held responsible for a data breach. "On the issue of accountability we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.

Some of the differences in perception between the CEO and other top executives can probably be traced to the metrics they use to define information security goals and to measure success, Ponemon added.

While most CEOs look for their companies to create cost-effective, and even profitable information security policies, other top executives said the policies should focus strictly on threat mitigation and compliance related matters, he said. "CEOs want bigger picture metrics, but what they are getting is the compliance story," Ponemon said.

The study showed that there is a broad need for new metrics to measure the impact of information security investments on asset performance and reputation management, he said. But what top managers are getting are more conventional success metrics, he added.

The Ponemon survey was sponsored by security vendor Ounce Labs.

You are here: Technology Topics » Security » News

Most Recent Security Stories

White Papers »

Identity Governance: The Business Imperatives

This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make to help achieve project success.

CA Technology Brief: CA Point of View: Content Aware Identity & Access Management

This paper explores the concept of content-aware IAM, describes the integrated architecture for this new approach, and highlights the benefits that this approach provides.

Aberdeen Analyst Insight: Does Your Enterprise Have a Dropbox Problem?

Without policies, awareness and supported alternatives for sharing files securely, end-users will often overlook security and compliance in favor of getting the job done. Read this whitepaper to determine if your enterprise has a "Dropbox Problem" and ways successful organizations address this problem.

Google: Security for Google Apps Messaging & Collaboration

Content provided by Google

Find out about how Google creates a security-based platform for Google Apps, covering topics like information security, physical security, and operational security.

Architecting the Security of the Next-Generation Data Center

This document is aimed at those looking at data center builds, upgrades, or consolidation. It provides an introduction to some of the new security challenges of such environments and provides recommendations for implementing security in next-generation data centers.

Who Owns Security in the Data Center?

This editorial brief addresses the disconnect between security and operations teams and the need for IT operations teams to address security and risk management.

Webcasts »

Gartner Next Generation Network IPS Webcast

Learn how Gartner's criteria for next generation IPS helps organizations achieve effective threat prevention despite changes in network communications, new applications, and changes in the threat landscape.

McAfee Continuous Compliance

3 minute Flash video - overview of the need for and value of Configuration Control.

Taming the Wild West: How to build a strong cloud security strategy

Cloud deployments are playing a critical role in propelling innovation for many companies. At the same time security has become the #1 one of the top concerns for IT and business leaders as they migrate into the cloud. In this webinar, learn from Accenture discusses how to recast the cloud as a "fresh chance to rethink your approach to security."

Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware

Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn about VMware customer, Navicure, and their experiences testing and evaluating the recovery manager, their progress in implementing it in their environment and their advice other customers considering using vCenter.

Quantifying the Business Value of VMware View - Webcast

Many enterprises have discovered that the use of virtualization to support desktop workloads creates a range of significant benefits. These benefits include price efficiencies, improved IT management and greater agility and choice for end users.

This VMware sponsored webcast with IDC will provide both quantitative measurement of the business value -- defined as the expected ROI -- and qualitative analysis associated with the use of VMware View™. IDC will also provide an analysis of the View Composer and ThinApp™ features of VMware View, including the business value of these solutions and an overview of how they work.

Attend this webcast to learn about:
- Challenges and barriers that might impede the adoption of desktop virtualization
- Navigating roadblocks to facilitate a strategic implementation
- Optimizing qualitative and quantitative benefits to IT and your business

Deliver Private Cloud Database as a Service with VMware vFabric Data Director

VMware recently announced VMware vFabric™ Data Director, a new database deployment and operations platform that enables enterprise IT organizations to offer database as a private cloud service. Built on top of VMware vSphere 5, vFabric Data Director enables IT organizations to ontrol database sprawl through automation and consistent policy enforcement and accelerate application development cycles with self-service database management. Attend this webcast to learn how vFabric Data Director can help you build database-as-a-service in your datacenter.

Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter