A new global report from Dell SecureWorks reveals a worrying disconnect between IT leaders and information security staff over key priorities and concerns.
Over half of the 1800 IT leaders and staff interviewed in 42 countries by the Ponemon Institute claimed that C-level executives and board members are often not briefed on security, meaning they don’t have the information they need to make informed decisions about IT security strategy.
Whereas security and IT bosses claimed it most important to improve their organization’s security posture (72%), staff working under them argued that minimizing downtime should be the number one priority (83%).
This disconnect was further illustrated when both sets were asked what they viewed as the most serious cyber-threat.
For IT leaders it was third-party errors, including those made by cloud providers (49%), followed by negligent insiders (37%). For their staff, however, it was insecure web applications (57%) and negligent insiders (56%).
It’s notable that insider risks are being largely ignored in many firms. Only 8% said that security training for all staff is an objective.
More worrying still is the 58% of respondents that don’t have, or are unsure whether they have, enough funds in the organization to meet legal and security compliance requirements.
In fact, insufficient budget is another major theme of the report, which doesn’t bode well for the future of information security.
In total, half of those who responded to the Ponemon Institute claimed that budgets are set to stay the same or even decline over the next two years.
Trying to explain the disconnect highlighted in the research, Dell SecureWorks CISO Doug Steelman argued that IT and security are often conflicting disciplines.
“The security org (CSO/CISO) needs to be independent and not report to the IT org (CIO) because IT professionals are typically focused on different goals than security objectives,” he told Infosecurity by email.
“Security needs to be independent, and have its own seat at the table, beside IT and other peers, so the security function can report directly to the board of directors and senior leaders of the organizations with undue influence.”
The 2015 Global Study on IT Security Spending and Investments is available here.