Fluent in Infosec: Are c-level executives and IT security managers on the same page?

‘If you talk to a man in a language he understands, that goes to his head. If you talk to him in his language, that goes to his heart’. Nelson Mandela’s wise words can be applied equally to business and IT communication, where two complex worlds meet, yet do not always completely interpret what the other is trying to achieve.

For any organization to function, the leadership team must be able to holistically base decision-making on key trusted frameworks and roadmaps that guide them through every step of the technological life cycle from initial commitment, plan, and design, construction and integration, to monitoring and project sustainability.

A 2022 World Economic Forum report, “Earning Digital Trust: Decision-Making for Trustworthy Technologies”  outlines how collaboration between cybersecurity, privacy, ethics and other business functions can improve trust in technology.

However, while business executives rightfully focus on sales, customer experience, risk, and cost, IT and cyber security champions are concerned with protecting devices, networks, programs and data from unauthorised access or damage. As a result, pursuing different goals can lead to misunderstandings in the boardroom which results in underestimating the importance of cybersecurity measures by executives.

Independent industry studies also reveal building trust between business functions and IT is important for success, yet only a small number of CIOs believe they are highly effective in communicating with their non-IT colleagues.

This research commissioned by Kaspersky explores communication between IT security teams and non-tech executives, with the aim of understanding how they face problems understanding each other and gain insights into the ways in which communication can be improved.

While delivering cybersecurity to non-IT employees in a clear and memorable way is a core value for Kaspersky, this research will help the two tribes to pinpoint miscommunications when adopting new security solutions.

Methodology


This report is based on two surveys of IT / IT-security and non-IT respondents.

The research among Non-IT or IT security workers was conducted by Censuswide research consultancy commissioned by Kaspersky. The quantitative online research was undertaken amongst top-management and C-level who discuss security-related issues with IT or IT-security managers at least once a year. Researchers interviewed 2,300 employees from global businesses with more than 50 employees, with representation across 25 countries. Respondents were questioned on their organization’s perceived IT readiness, communication between IT staff and non-IT executives, and consequences resulting from miscommunication.

The other poll was conducted amongst 4,132 IT workers as a part of Kaspersky’s  global Corporate IT Security Risks Survey (ITSRS). The interviews took place in businesses with more than 50 employees were conducted across 25 countries.

Key Findings


  • Lack of understanding between IT and non-IT happens really often…
    98% of non-IT respondents revealed they have faced at least one IT security miscommunication.
  • …and regularly leads to awful consequences
    As a direct result of miscommunication regarding IT security within their organization, 62% of managers admit it led to at least one cybersecurity incident
  • Issues in communications are not always evident for all dialogue participants
    42% of business leaders want their IT security teams to better communicate cybersecurity incident risks and consequences, while most IT workers (76%) say they face no difficulties explaining their work to colleagues and executives.
  • Non-IT and IT have different perspectives on the most difficult topic…
    Every third C-level executive (34%) struggles to speak about adopting new security solutions, while the majority (51%) of Information Security workers find most difficult talking about increasing budget for IT security.
  • …but they are on the same page when it comes for workable communication strategies
    The majority of C-levels (56%) and IT (48%) workers agree that providing real-life examples is the most efficient method to ease communication on IT security related issues.

How big is the IT security language barrier?


The language barrier between non-IT executives and those looking after cybersecurity in their companies is more significant than some believe and could lead to catastrophic issues.

Almost half of C-level and business leaders (42%) would like IT security workers to inform the boardroom about cybersecurity issues more clearly. On the other hand, most cybersecurity respondents (76%) do not see the issue, claiming they have not faced problems in work-related communications.

Of those surveyed, 42% of business executives think IT-security employees could be clearer when they pass on information about the risks and consequences to their business in case of a cybersecurity incident. The business leaders believe soft skills are the issue, with 40% saying IT security employees should better develop their communication, presenting skills, project management, team leading.

Just under a quarter (22%) of business respondents often don’t understand what the terms, technology and arguments IT security colleagues use while discussing IT-security related topics, and 17% sometimes don’t get the importance of cybersecurity discussions with IT security managers.

The communications gap can be evidenced by the fact that only 51% of non-IT executives can confirm that they are fully informed about the cybersecurity readiness of their organization. However, only 10% of IT security executives acknowledge that there are difficulties explaining any aspect of their work to colleagues and top-management. In fact, of those surveyed, 77% claim they have no issues communicating about their work. Yet the gap widens as the two tribes don’t acknowledge the problem to each other, with 76% of IT staff believing arguments were “well received” by non-IT top-management and colleagues.

 Non-IT survey: Which of the following statements, if any, apply to you? (Tick all that apply)

When it comes to cybersecurity, for business leaders and non-IT respondents it’s very much a case of “lost in translation” with almost every company (98%) reporting they have faced some form of miscommunication regarding IT security which lead to serious consequences.

As a direct result of a breakdown in communications regarding IT security within their organization, 67% highlighted that it led to serious project delays, while 62% of managers admitted it had led to at least one cybersecurity incident. For 61% of respondents negative effects impacted the business, including wasted budget, loss of a valued employee, or worsening relationships between teams.

Have you ever faced the following negative consequences caused by miscommunication regarding IT security?

Like any relationship, it’s all about the connections that make the collaboration work, and it’s no different when it comes to cybersecurity in business. Most survey respondents confirm this, noting weaker feelings of connection between different teams (34%) as negative aspects of miscommunication.

For 33% of managers, unclear communications about information security will make them question the IT-security employees’ skills and abilities – 28% feel they will delay deciding on the subject. Almost three-in-10 executives admit misunderstandings led them to lose confidence in the security of the business (28%) and make them nervous, reflecting on work performance (26%).

Which of the following statements, if any, is relevant to you when the communication with your IT-security employees isn't clear/you don't understand? (Tick all that apply)

Where do difficulties in communication between IT and non-IT come from?


If business is from Mars, then Cyber is from Venus: as communication between IT and non-IT staff is further complicated by a reluctance of non-IT executives to show lack of cybersecurity knowledge and an inability of IT security workers to deliver information in a clear way.

Non-IT executives (22%) say they would not feel comfortable flagging that they don’t understand something during a meeting with IT security teams. While the majority (50%) prefer to clarify everything after a meeting or figure out issues by themselves (38%), more than one in three (37%) don’t ask additional questions because they don’t believe the IT and IT security team can explain it clearly. Just over one-third (34%) feel too embarrassed to reveal they don’t understand the topic while 33% don’t want to appear ignorant in front of IT colleagues.

You previously noted that if you were in a meeting with IT and IT security and didn't understand something, you would not feel comfortable flagging that you didn't understand this in the meeting. Why is this? (Tick all that apply)

The most complicated topics for business and tech teams to discuss with each other are also radically different. For non-IT executives, the top three toughest subjects include adopting new security solutions (34%), any changes to cybersecurity policy (29%), and evaluating the performance of the IT security team (29%). For IT workers, the three toughest topics to discuss with non-IT executives are anything that involves expanding a budget for IT security (51%), raising awareness among employees (43%), or expanding the IT security team (43%).

Non-IT survey: what IT security related topics, if any, are the toughest to discuss with IT or IT security employees? (Tick up to three)

IT workers should also keep in mind that familiar for them terms are not always well-known for their non-IT colleagues. Thus, more than one-in-ten non-tech executives have never heard of threats such as Botnet (12%), APT (11%) and Zero-Day exploit (11%), even though they discuss security-related issues with IT or IT-security managers at least once a year. At the same time Spyware, Malware, Trojan and Phishing appeared to be more familiar for top-mangers.

Non-IT survey: Which of the following statements best describes your knowledge and understanding of the following threats?

Also, more than one-in-ten top managers admit they have never heard of such cybersecurity terms as DecSecOps (13%), ZeroTrust (11%), SOC (11%) and Pentesting (11%).

Non-IT survey: Which of the following statements best describes your knowledge and understanding of the following terms

How to find a common language?


The good news is that both IT and business leaders are willing to make steps towards better communication with each other. The majority (43%) of non-IT managers think both IT and IT security teams must make equal efforts leading to mutual understanding; with 30% if tech respondents saying they believe top management should learn more about IT security to speak the same language. Only 22% place the responsibility for mutual understanding on IT security workers.

Which of the following statements, if any, best describes who you think should make more effort to ensure clear communication and mutual understanding

Cybersec workers admit there is work to be done regarding cybersecurity awareness of non-IT workers, with 81% agreeing they should actively communicate more with their non-IT colleagues and raise their security awareness across their organization.

When looking at business and IT, progress is being made when it comes to cross-function or organization meetings, but what are the most efficient communication strategies?

Respondents from both tribes agree the most effective way to facilitate discussions about IT security issues is to provide real-world tech examples and report and numbers.

By introducing reports and statistics to any IT discussion (43%), and referencing authoritative opinions and industry thought leadership (35%) will allow business decision makers to better understand their IT counterparts.

When asked what facilitates communication with C-level executives on IT-security related measures, 56% of IT professionals chose real-life examples in meetings, while 55% say reports and numbers contribute to mutual understanding. Half (49.5%) of those responding prefer to use threat stories when discussing cyber and IT.

According to your experience, what, if anything, helps you to understand your IT or IT security employees' arguments when discussing IT-security related issues? (Tick all that apply)

According to your experience, what facilitates communication with C-level executives on IT-security related measures?

For one-in-five IT and non-IT workers, water cooler moments sharing jokes and memes are great ways to facilitate communication of IT security-related measures.

Conclusion


Cybersecurity misunderstandings can be almost as dangerous as gaps in corporate cybersecurity because of very real negative consequences that result from  breakdowns between boardrooms, managers, and IT teams. And it’s happening more often than people think.

As this research shows, company leaders struggle to speak about cyber risks, unfamiliar with cyber-terms, with some completely unaware of current threats such as Botnets and APT, and many reluctant to speak about their lack of knowledge. On the other side of the coin, IT security workers struggle to get their points across to their non-IT colleagues, finding most difficulties in discussing budgets.

However, there is a light at the end of the tunnel, as both sides agree that IT security workers ought to communicate more with their non-IT colleagues and raise their security awareness. They are willing to bridge this gap, and agree on ways to move forward with suggestions that communication can be facilitated with the help of reports, real-life examples, and threat stories.

To avoid costly cyberattacks in the current economic climate, with a focus on achieving goals cost-effectively, business leaders need their IT security teams to communicate any incident clearly and rapidly, disclosing possible consequences.