Kaspersky Lab, a Russian multinational cybersecurity and anti-virus provider, said that based on a recent study, every fourth business executive in Southeast Asia (SEA) prefers not to flag abnormalities, due lack of understanding when discussing cybersecurity issues.

The study also said that one in ten C-level managers have never heard of threats such as Botnet, APT and Zero-Day exploit.

The same proportion appeared to be unfamiliar with cyber security concepts like DecSecOps, ZeroTrust, SOC and Pentesting.

The study likewise bared that while backing cybersecurity in every business decision has already become the norm in every other company, more than half of executives lack confidence that their cyber spending is being allocated to the most significant risks their organization is facing.

Kaspersky, according to a statement released to media, conducted their own research to help IT and C-level find common ground and explore the root of their misunderstandings, where a total of 300 executives from the SEA region were surveyed.

The Kaspersky poll indicates that C-suite sometimes struggle to understand their IT security peers and are not always ready to show their confusion.

Thus, 26% of non-IT executives here say they would not feel comfortable flagging that they don’t understand something during a meeting with IT and IT security.

Although most of them hide their confusion because they prefer to clarify everything after the meeting or choose to figure everything out by themselves, more than half (55%) don’t ask additional questions because they don’t believe the IT peers will be able to explain it in a clear way.

Almost two-in-five also feel embarrassed revealing they don’t understand the topic and 42% don’t want to look ignorant in front of their IT colleagues.

Also, even though all surveyed top-managers from SEA regularly discuss security related issues with IT security managers more than one-in-ten respondents have never heard of threats such as Zero-Day exploit (11%), Botnet (9%), and APT (9%). At the same time Spyware, Malware, Trojan and Phishing appeared to be more familiar for top-managers.

More than one-in-ten top managers here admit they have never heard of cybersecurity terms like DecSecOps (10%), SOC (10%), Pentesting (10%), and ZeroTrust (6%).

“Non-IT top management do not have to be experts in complex cybersecurity terminology and concepts and IT security executives should keep this in mind when communicating with the board,” Sergey Zhuykov, Solution Architect at Kaspersky said.

“To establish efficient cooperation CISO should be able to focus C-level attention precisely on meaningful details and clearly explain what exactly the company is doing to minimize cybersecurity risks. In addition to communicating clear metrics to stakeholders, this approach requires offering solutions instead of problems,” Zhuykov added.

“On the other end of the communications spectrum, only 6% of IT security professionals in SEA admit facing difficulty in discussing aspects of their work to the C-level. This means the majority of our technical workforce deem that their updates are understood by the decision makers. To bridge this dangerous gap, security teams should also incorporate effective tools – real life examples and use of reports and numbers – to ensure that discussions are done effectively,” Chris Connell, Managing Director for Asia Pacific at Kaspersky said.

To ease the communication between IT security and business functions within the company, Kaspersky recommended that: IT security should be positioned as a driver for growth and innovation in the organization.

They said that to achieve this, the IT security team should move away from prohibitive tactics and rather explain how the business can achieve its goals while mitigating cybersecurity risks.

CISO, according to the Kaspersky statement, should actively engage in operational activities and build relationships with the company’s stakeholders.

While fewer than 20% of CISOs have established partnerships with key executives in sales, finance, and marketing, it is hard for them to stay abreast of the needs of the business.

When communicating with the board, they also advised to use arguments based on an overview of threats by experts, your company’s attack status and best practices.

There is also an urgent need to explain to the board what the main responsibilities of the IT security team are.

They should also allocate cybersecurity investments in tools with proven efficacy and ROI. This means tools that lower the level of false positives, and reduce times of attack detection, the time spent per case and other metrics are important to any IT security team.

CURRENTPH NEWS SERVICE