Communication challenges may be as big of a problem for companies as actual security risks. New research has found that 64 percent of information technology professionals say they don’t communicate every security risk with senior executives or only do so when they find a serious problem.
That communication breakdown does not fall solely on the shoulders of IT professionals, however. Forty-seven percent of IT professionals say that collaboration between the risk management department and the business is poor or nonexistent. Fifty-one percent of those professionals also say that communication regarding security risks is not effective.
"Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing," said Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the research. "This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk."
[Related: The Skill IT Professionals Are Lacking]
Communication problems exist on a number of levels, the researchers found. Sixty-one percent of respondents say that communication occurs at a low level and that communication is too technical to be understood by managers who are unfamiliar with the technologies.
Respondents also say that risks are minimized at times, which can compound the problem. Fifty-nine percent of IT workers say that negative facts are filtered before being disclosed to senior executives and CEOs.
"Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with nontechnical executives," said Dwayne Melancon, chief technology officer for Tripwire. "However, it's clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals."
The research was based on the responses of more than 1,300 professionals in the IT, business operations and risk management fields.