Many business executives prefer not to admit a lack of understanding when discussing cybersecurity issues, according to a recent Kaspersky study, which also revealed that up to a third of top managers in South Africa are unfamiliar with such terms as DDoS, botnets, or APTs.
While keeping cybersecurity in mind with every business decision has already become the norm, many executives lack confidence that their cyber spending is being allocated to the most significant risks their organisation is facing. Kaspersky conducted its own research to help IT and C-level find common ground and explore the root of their misunderstandings.
The Kaspersky poll indicates that C-suite executives sometimes struggle to understand their IT security peers and are not always ready to show their confusion. In South Africa, 21% of non-IT executives say they would not feel comfortable flagging that they don’t understand something during a meeting with IT and IT security. 38% of them hide their confusion and prefer to clarify everything after the meeting themselves – 38% don’t ask additional questions because they don’t believe the IT peers will be able to explain it in a simple way. 19% feel embarrassed revealing they don’t understand the topic and 29% don’t want to look ignorant in front of IT colleagues.
Also, even though all surveyed top managers regularly discuss security-related issues with IT security managers, 30% locally would not be able to explain what a botnet is, what an APT is, or what a DDoS attack is. At the same time spyware, malware, Trojan and phishing appeared to be more familiar for top-mangers.
Some top managers admit they have never heard of cybersecurity terms like DevSecOps (10%), SoC (10%), and Pentesting (8%).
“Non-IT top management do not have to be experts in complex cybersecurity terminology and concepts, and IT security executives should keep this in mind when communicating with the board,” says Sergey Zhuykov, solution architect at Kaspersky. “To establish efficient cooperation, CISOs should be able to focus C-level attention precisely on meaningful details and clearly explain what exactly the company is doing to minimise cybersecurity risks.
“In addition to communicating clear metrics to stakeholders, this approach requires offering solutions instead of problems,” Zhuykov says.