On Cybersecurity, Execs Are Burying Their Heads In the Sand

An anonymous reader writes shares a report on BizJournals: Despite increased spending on cybersecurity, most executives are unprepared, even willfully ignorant, of the threats that could damage their businesses. A survey of 1,530 C-level executives across of range of industries found a widespread feeling that cybersecurity is an "IT problem," even as CEOs personally shoulder the consequences for breaches. "The Target breach was one of the more significant ones: Executives can be held accountable," says David Damato, chief security officer at Tanium. "But there's still that disconnect. Executives still struggle with: 'What should I be looking for?'"

Endless audits, very little actual work.

[clintp]

Once the executive team figures out that IT security is really important they tend to fuck it all up with an endless parade of audits and consultants

Like any parade, it's all for show. These people swoop in, make IT teams fill out questionnaires, conduct interviews, write reports, make recommendations, but nothing real actually gets done. What IT needs are people willing to get their hands dirty and actually help out with these projects. IT winds up having more thrown on their plate without increases in staffing or budget.

Ditch your PricewaterhouseCoopers schmuks and hire someone to actually do the work.

Re:You want the simple answer?

[Z00L00K]

No, but the other persons on the board will just say STFU, we got this and kick him out.

That's because they don't think that they will suffer the "pants down" situation when the shit hits the fan.

And that's why the IT department is held off from the board of directors, and why IT departments are outsourced.