Cisco Study Reveals Perception Gap on IT Security

You’ve heard of the generation gap, well, it turns out there’s also an IT-security-perception gap. The name doesn’t have quite the same ring to it, but here’s how it works: Ask IT leaders about the state of their companies’ security and there’s a decent chance they’ll reply with a rosy image. Ask companies’ lower level management that same question, however, and the reviews may not be as glowing.   

That’s the state of things according to the 2015 Annual Security Report from Cisco. To get a balanced, more in-depth look at the state of IT security, researchers looked to gather security insights from multiple levels of a company’s infrastructure. To get the view from the top, they polled Chief Information Security Officers (CISOs) – or their equivalent. Researchers also picked the brains of those organizations’ Security Operations (SecOps) Managers for an alternate perspective.

Even though there was a noticeable split between what CISOs were saying and what their SecOps team suggested, the good news is both sides were still mostly (but not always) positive about the state of corporate IT security. It’s just that CISOs tended to be more positive than those who handled security at the nuts-and-bolts level.       

Differing points of view

Let’s take a look at some of the highlights from Cisco’s survey:

On the overall state of security:

  • 62% of CISOs felt their company’s security processes were clear and easily understood, compared to just 48% of the SecOps Managers who felt the same.
  • 59% of CISOs believe their security processes are optimized and focused squarely on process improvement, while only 46% of SecOps Managers shared that viewpoint.

On confidence levels in organizational security policies:

  • 62% of CISOs strongly agreed with the statement that “Computer facilities within my organization are well protected,” while 51% of SecOps Managers strongly agreed with it.

On confidence levels in organizational abilities to contain compromises:

  • 61% of CISOs strongly agreed that their company reviewed and upgraded its security practices regularly, formally, and strategically over time, while 51% of SecOps Managers strongly agreed with it.
  • 57% of CISOs strongly agreed their company had tools to review and provide feedback on the capabilities of their security practice, compared to 49% of SecOps Managers who felt the same.
  • 60% of CISOs strongly believed their company routinely and systematically investigated security incidents, while just 49% of SecOps Managers strongly agreed with that.
  • 61% of CISOs strongly believed their threat detection and blocking capabilities were kept up to date compared to 53% of SecOps Managers.
  • 60% of CISOs strongly felt that their company’s security technologies were integrated properly so that they could work together effectively, while 51% of SecOps Managers strongly agreed with it.
  • 64% of CISOs strongly agreed with the notion that security factored heavily into their organization’s goals and business capabilities, but only 51% SecOps Managers strongly felt the same way.

On security controls and organizational security tools

  • 60% of CISOs strongly agreed they had good processes in place for verifying that security incidents actually occurred, while 48% of SecOps Managers strongly agreed.
  • 57% of CISOs strongly believed their company did a solid job of notifying and collaborating with stakeholders in regards to security incidents, compared to 44% of SecOps Managers who felt the same.
  • 61% of CISOs strongly stood behind the statement that their company had thoroughly-documented processes and procedures for incident response and tracking, while just 51% of SecOps Managers agreed strongly.

What’s driving this perception gap? Cisco feels like it may be a matter of proximity. CISO’s are more removed from the nuts and bolts tasks SecOps Managers perform. As a result, the manager is often much more acutely aware of when something is going wrong as he or she is the one in the weeds struggling to fix it. That first-hand exposure to issues can explain managers’ less optimistic outlook.

The big picture outlook of CISOs may also factor in. They’re the ones setting the policies while managers are the ones enforcing those policies and seeing them in action on a day-to-day basis. Again, when things aren’t working, the manager typically knows about it first.

Of course, having a solid grip on the state of your security infrastructure is a must in today’s business world. A free security architecture consultation from Arraya can help you spot and seal any weaknesses before they can be exploited by those who are up to no good. If you haven’t already, be sure to reach out to your Arraya Solutions Account Executive or click here to set-up your consultation.

And don’t forget to follow us on Twitter: @ArrayaSolutions

Arraya Insights