To better understand the communication challenges between C-level executives and IT security colleagues, Kaspersky commissioned a survey to learn more about the lack of understanding between these departments. The study revealed that over a third of C-level executives (34%) struggle to speak about adopting new security solutions with their IT security colleagues. Alternatively, IT professionals feel increasing the budget for cyber security is the toughest topic to discuss with non-IT management. 

Further, the study revealed that almost half (47%) of top managers in the U.S. think IT-security employees should better communicate cyber risks to business, however only 9% of cybersecurity workers agreed they have some difficulties explaining any aspect of their work to non-IT colleagues and executives.

IT and non-IT workers also differed on the most complicated topics to debate. According to C-level executives, the three most challenging subjects to talk about with IT staff included adopting new security solutions (42%), changes in IT security team staff (38%) and evaluating the IT security team's performance (37%).

For IT workers, the top-3 themes to discuss with non-IT executives are the need to increase the IT security budget (49%), evaluating the performance of IT security team (48%) and expanding the IT security team (48%).

On the subject of finding common ground, the majority of respondents agree that the most efficient ways to facilitate discussions about IT-security issues are to choose real life examples (63%), reference previous experience (49%) and instances in the media (49%). Aside from these areas, C-level executives also said that citing references reports and numbers (65%) would allow them to best understand their IT-security staff.

"It is inferred that non-IT executives struggle to discuss the adoption of new cybersecurity solutions because of the abundance of complex technical terms and concepts often used by IT security staff. However, our research has found they don't like to speak about increasing budgets as C level executives expect them to use businessmetrics to justify their needs," says Ivan Vassunov, vice president of corporate products at Kaspersky."Today, in a difficult economic environment and complicated threat landscape, mutual understanding between business and IT security people is more important for business continuity than ever before. To avoid additional cybersecurity risks it is crucial that both teams know how to speak a common language based on numbers, reliable references and understandable arguments."

To make the communication between IT security and business functions within the company more transparent, Kaspersky recommends the following:

• Allocate cybersecurity investments into tools with proven efficacy and present new security concepts (including SASE, XDR and Zero Trust) to the board as investment projects or even business case with calculated ROI.
• Use resources, such as the IT Security Calculator and reports based on experts' observations containing structured information about the threats and security measures most relevant to your particular industry and company size to verify the probability of risks and the protective measures needed.
• Acquire additional knowledge to better understand professionals from other spheres. While business basics can be gained from training courses, non-IT executives have an opportunity to walk in a CISO's shoes to gain insights into the most relevant IT security challenges.
  

Additional insights on communications issues between C-level executives and IT security managers is available via the link.