How to approach business leaders about cybersecurity when they don’t follow the breach headlines

Most business leaders are not aware of and do not understand the implications of major data breaches or vulnerabilities highlighted in news stories. That’s the big takeaway from CA Veracode’s recent survey of more than 1,000 business leaders. (Disclaimer: I am the CTO of Veracode.) Clearly, senior executives don’t think of security incidents as news items they need to pay attention to, and are not making the connection between their bottom line and cybersecurity issues. In fact, a quarter of all business leaders in the UK and US report not understanding any of these common cybersecurity threats:

• Vulnerable software
• Ransomware
• Vulnerable open source components
• Phishing attacks
• Malicious employee activity
• DDoS attacks

In addition, only 28 percent had heard of the JP Morgan Chase data breach, a mere 32 percent were aware of the Target breach and just 34 percent had heard of WannaCry.

Bring the headlines home

The bottom line is that it is important for business leaders to both be aware of and understand large-scale security breaches. They need this information in order to make sound investment decisions regarding security. Just as you would start locking your car doors in your driveway if your neighbors’ cars were getting broken into, you need to keep up with cyberattacker tactics in order to know where to most efficiently invest your security dollars.

But based on the survey results above, it’s clear that just sharing the headlines with business leaders won’t be enough. Security teams should consider helping executives connect the dots between what happened to that company, what might happen to us, and what we can do to stop it.

For instance, our survey found that only 28 percent of business leaders heard about Equifax breach that impacted 145 million US consumers. This beach was caused by a known vulnerability in an open source component that had not been updated for months. This lack of awareness seems impossible to those of us in the security industry, considering this was one of the most talked about breaches of the year. But we need to remember that not everyone lives and breathes security the way do.

In addition, our survey of business leaders also found that less than a third (32 percent) understand the risk that vulnerable open source components pose to their organization. How do you bridge this knowledge gap? First, make it a real problem using stats like those from our most recent State of Software Security (SoSS) report (based on application security testing data from our 2017 scans), which found that 88 percent of Java applications have at least one component-based vulnerability. Second, offer a solution: One way to reduce this risk is to employ software composition analysis technology. With this technology in place, organizations can keep track of which open source components they are using, and where. In turn, when a big vulnerability in an open source component hits the news (remember Heartbleed?), they can quickly find out where they are vulnerable and patch or update.

Make it personal

How else do you get executives to pay attention to cybersecurity when the headlines about breaches don’t do the trick? We also asked business leaders in our survey to give us their advice on how to get senior executives to buy in to security initiatives.

Apparently, you need to hit them where it hurts the most – their own personal reputation and livelihood. Over a third of business leaders (38 percent) reported that giving senior executives examples of the personal brand damage that can come as a result of a data breach is an effective strategy for engaging them with cybersecurity.

Highlighting the threat to executive jobs was also a commonly shared suggestion, with 35 percent of business leaders across all regions suggesting this would get board members sitting up and listening.

Security is everyone’s job

As we’ve seen from the fall-out of recent major data breaches, security is everyone’s responsibility. In the end, employees at all levels need to buy into the idea that quality code is secure code and be willing to invest the time and money necessary to make that a reality.