Nearly half of C-level executives are far from experts when it comes to handling a data breach.

Pam Baker

March 21, 2019

4 Min Read

Experian, the consumer credit company, recently released its recent data breach preparedness study which found that nearly one-half (49 percent) of C-level executives are clueless about their company’s data breach plans. This statistic is doubly disheartening to CISOs who already fear losing their jobs after a data breach. The question is: What can CISOs, partners and MSSPs do to change this situation for the better for all concerned?

The report found a number of issues that may one day become reasons for a CISO’s head to roll, albeit often unfairly. Of the C-Level executives that Experian surveyed:

  • Fifty-two percent rated their plans as very effective, slightly over the 49 percent that said so in 2017

  • Only 36 percent feel prepared to respond to a data breach involving business confidential information and intellectual property.

  • More than half (59 percent) aren’t confident that they could handle ransomware, possibly signaling a loss of faith in their security staff or investments.

  • Only 36 percent are complying with the EU’s General Data Protection Regulation (GDPR), despite the risk of heavy fines and penalties.

  • Less than one-quarter (21 percent) feel confident in their ability to minimize the financial and reputational consequences of a data breach.

  • Only four in 10 say they’re effective at preventing the loss of customers and keep business partners’ trust and confidence after a breach.

  • Fifty-three percent don’t have a cyber insurance policy that can help recoup expenses and cover damages.

Despite continued efforts to raise C-level executives’ awareness of threats and get their buy-in on budgets, tools, training and breach response, CISOs’ words often fall on deaf ears. The problem of how to get through to them remains a difficult challenge.


Experian’s Michael Bruemmer

Channel Futures’ MSSP Insider went beyond the survey to get Experian’s thoughts on closing the gap between security pros, CISOs, MSSPs, and C-Level executives. Here is what Michael Bruemmer, VP of data-breach resolution at Experian, had to say.

Channel Futures’ MSSP Insider: C-level executives have tuned out on security briefings for so long. How can security pros get them to engage now?

Michael Bruemmer: Invite senior executives from key departments that would be a part of an incident response such as human resources, public relations, customer relationship management and operations to participate in data-breach preparation review meetings and drills to enhance their knowledge in the category.

Those executives do understand the importance of protecting the company, customers and partners, so take the time to meet with them and update the executives on the latest preparations the company is considering and implementing. This will enable [them] to be proactive in planning instead of reactive to data breaches.

In addition, use that time to advance cybersecurity plans. By showcasing the next steps to the executive, you will be able to share your vision and gain their support for protecting the company’s reputation in the future. Creating a dialogue with senior executives about cybersecurity practices will enable you to discuss the company investing in the latest technologies to prevent and detect breaches.

CFMI: What are other impacts of developing a C-level cooperative strategy instead of delivering traditional security briefings?

MB: Companies that engage and educate C-suite executive see the benefits of …

… investing more in data breach preparation. When leadership is knowledgeable and actively involved in data-breach response plans, it emphasizes the importance of having a strategy in place throughout the organization. C-suite executives are able to support these cybersecurity preparation initiatives by approving agreements with pre-data breach partners to have the company better equipped to prepare and handle data breaches.

CFMI: Your report found only 36 percent were compliant with GDPR. What advice can you offer in getting C-level executives to understand why data-breach notifications can’t be delayed, even if their instinct is to delay? How can security pros drive home that failure to comply now with GDPR can result in notification delays later that will prove costly?

MB: General Data Protection Regulation (GDPR) data-breach notification standards are more difficult for organizations to comply with, so C-suite executives need to be involved in those discussions to understand the global rules and ramifications of not being GDPR compliant in the event of a data breach. With only 72 hours to notify the impacted parties of a data breach, being GDPR compliant requires senior executives to be educated about the importance of being able to act swiftly following a data-breach incident and the potential fines that are levied for not being compliant.

Read more about:


About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like