Analyst Paul Proctor of the analyst company Gartner said in a study that twice as many CEOS were being fired over cyber security incidents compared to CIOs and CISOs.
He attributed this to the fact that CEOs and and other execurives, whose core functions did not encompass IT, tended to regard cyber security as a black box and hence were unable to mount a defence after an incident.
Adding to this was the fact that neither CIOs nor CISOs indulged in plain speaking when detailing the systemic risks posed by technology, giving non-IT executives a false sense of security.
Throwing money at a problem would not help, as it would only increase operational costs and not in any way help business outcomes, he said, adding that CIOs and CISOs should not be the defenders of an organisation as this gave technical people the role of protecting business outcomes which they could not comprehend.
Additional suggestions made by Proctor were:
- "Address broken accountability that results in poor investment decisions and more invisible systemic risk;
- "Do not create ineffective risk-tolerance and -appetite statements that promise to only engage in low-risk activities that run counter to sound business practices;
- "Accept and address society’s assumption that hacks happen when people fail to do their job; and
- "Address any lack of transparency that blocks fully-informed decision making."