Survey: IT hides negative security facts from execs

IT pros often complain that management doesn’t understand the true impact of lax security. But a recent survey shows why some of the blame may lay with IT itself. 

It’s difficult to get support for IT security initiatives if management doesn’t understand all the risks the organization faces and what the costs of being under-protected might be.

That’s why it’s critical for IT and the business side to communicate openly and accurately regarding IT security. But unfortunately, that’s not the case in most organizations, according to a recent study published by the Ponemon Institute and security vendor Tripwire.

While sometimes the problems might exist because business leaders aren’t paying attention to warnings from IT, many tech teams also must share in the blame, according to the survey.

Among the 1,300 IT pros polled, just over half (51%) said their department’s communication of security risks to company executives was not effective.

Softening the security message

One big problem: IT seems to be reluctant to deliver bad news to the rest of the organization. The majority of survey respondents (59%) said negative facts about IT security are often filtered out before information is delivered to senior executives and the CEO.

The reason might be that IT thinks those executives want to hear good news or that only reporting successes with help create more favorable situation for the tech department.

But filtering out negative facts can create problems for the whole company and hurt IT’s goal of getting the best protection possible for the company’s information. Without all the facts, execs may not fully understand the risk the organization faces and therefore won’t allocate the proper resources.

Communicate more often

A similar issue at many organizations: Often, IT doesn’t report any security information until it has to.

Among the IT pros surveyed, 64% said they don’t give executives information about security until there’s been an incident. Among the other problems that causes, it can get in the way of the company’s ability to proactively prevent breaches.

Execs need up-to-date information about what risks the company faces so that the right plans can be in place with the budgets to back them.