Senior executives of many companies in Turkey choose not to acknowledge the lack of understanding when discussing cybersecurity issues. A recent Kaspersky survey reveals that one-third of senior executives don't know terms like DDoS, botnet and APT. While 42% of executives in Turkey say that they will hesitate to state that they do not understand something in a meeting with IT and IT security, 43% prefer to hide their confusion on this issue.
While it has become the norm today to consider cybersecurity in decisions that drive every aspect of the business, many executives are unsure that their cybersecurity spending is directed to meet the most important risks their organization faces. Kaspersky conducted special research to help IT and senior executives find common ground on this issue and to discover the causes of misunderstandings.
The Kaspersky survey shows that while C-level executives may struggle to understand IT security issues in some cases, they are not always ready to admit their confusion about it. 42% of executives in Turkey say that if they do not understand something from a meeting with IT and IT security, they will hesitate to mention it. 43% hide their confusion on this issue and prefer to clarify everything on their own after the meeting, while 42% do not ask additional questions because they do not believe their IT colleagues can explain it simply. More than half (53%) of respondents from Turkey hesitate to express that they do not understand the subject, and 47% do so in order not to appear ignorant in front of their IT-savvy colleagues.
Terms like DDoS, botnet and APT are not exactly known
Also, although all senior executives surveyed regularly discuss security-related issues with IT security managers, 33% cannot fully explain what a botnet is, 32% APT, and 37% a DDoS attack. However, concepts such as Spyware, Malware, Trojan, and Phishing are more familiar to senior executives.
Which of the following statements best describes your knowledge and understanding of the following threats?
Some senior executives in Turkey admit that they have never heard of cybersecurity terms such as DevSecOps (15%), ZeroTrust (13%) and Pentesting (7%).
Sergey Zhuykov, Kaspersky Solutions Architect, says: “Non-IT senior management need not be experts in complex cybersecurity terminology and concepts. IT security managers need to keep this in mind when communicating with the board. To effectively collaborate on cybersecurity, the CISO must be able to focus the attention of C-level executives on meaningful details and clearly articulate exactly what the company is doing to minimize cybersecurity risks. This approach requires being able to communicate clear metrics to stakeholders as well as offering solutions rather than problems.”
Kaspersky recommends the following to facilitate communication between IT security and internal business units:
- IT security should be positioned as a driver for growth and innovation in the enterprise. To achieve this, the IT security team must move away from restrictive and prohibitive tactics and explain how the business can achieve its goals while mitigating cybersecurity risks.
- CISOs must actively participate in operational activities and build relationships with the company's stakeholders. Given that less than 20% of CISOs collaborate with key executives in sales, finance and marketing, it is difficult to stay aware of the needs of the business.
- When communicating with the board of directors, you should refer to the case of your company being hacked and arguments based on best practices in the field, accompanied by an overview of threats by experts.
- Explain to the board what the key responsibilities of the IT security team are. If possible, give them the opportunity to act as a CISO to gain insight into their top IT security challenges.
- Divide your cybersecurity investments into tools that have proven effectiveness and return on investment. Tools that reduce false positives, reduce intrusion detection times, time spent per incident, and other metrics are critical to any IT security team.