There is a widening gulf of miscommunication between security teams and their boards. According to software intelligence platform, Dynatrace, 77 percent of company information security officers (CISOs) say their boards and CEOs focus too heavily on the ability to react to security incidents and not enough on reducing and preventing risk proactively.
“Executive engagement has often been limited to conversations around regulatory compliance and high profile or user-centric security risks, such as phishing attacks, ransomware, or the use of mobile devices among an increasingly hybrid workforce. There is often less understanding of the material operational effects created by other, more technology-centric risks, such as gaps in the organization’s application security posture,” says Dynatrace.
Dynatrace’s report, The state of application security in 2024, also highlights a growing blind spot where application software (apps) such as Microsoft Word and Excel, Google Chrome and WhatsApp are concerned. According to the report, 72 percent of organizations have experienced an application security incident in the past two years; 80 percent of CISOs also say that application security is a blind spot at the CEO and board level. The problem is also being exacerbated by the widening array of apps now available to staff, which can be used to enhance efficiency. These also include mobile apps, such as WhatsApp for communication. There are also app versions of popular services, such as weather or transportation information, as well as apps that allow users to connect with businesses.
Too much technospeak
But board members are equally adamant that their CISOs are failing them by all too often confusing them with technospeak. According to Dynatrace, 70 percent of senior executives report that their security teams too often speak to them in technical terms without providing business context and believe that it is the CISO’s responsibility to bridge the widening communications gap.
“Despite their growing interest and engagement in their organization’s cybersecurity posture, C-suite executives have a limited understanding of the risk landscape and different priorities that drive security decisions. As a result, they don’t always see eye-to-eye with CISOs and the IT department. CISOs urgently need to drive greater alignment between security teams and the board by elevating the discussion around cybersecurity from bits and bytes to business risk,” says the Dynatrace report.
