Kelly Jackson Higgins’ article at Dark Reading gives a good summary.

And, in the United States, the situation is even worse, with only 40 percent of US IT and security pros believing their CEOs to be security supporters. When it comes to compliance with regulations, “US firms were also less inclined to consider compliance helpful to security of their endpoints.”

This report is both quite troubling and very unsurprising. It models the philosophies that produce what we see in the real world: data breaches are quite commonplace, decent security is quite achievable, and most businesses just don’t really care (until they discover the hard way). It is quite akin to a widespread lack of interest in wearing seat belts, with only those who experience accidents and are “already dead” deciding that, sure enough, it’s not very hard to buckle a seat belt yet the benefits are enormous.

Many businesses have a department, or at least a group or individual, that handles security. (Note that the report also exposes a woeful lack of collaboration with this section of the business). Yet “the security department” or IT department in general tends to find that upper management just doesn’t “buy in” with security efforts.

Thus, in my view (not necessarily the report’s), it seems good to let the upper management take a serious fall when (not if) breaches happen. They choose not to support the buckling of seat belts, because it’s “not important” or at least not a priority. It’s only fair that their necks be on the line during the next “accident.”

The report itself can be found here. Thanks also go to Redemtech.