The C-Suite and IT Decision Makers: Disconnect or Empathy?

As the saying goes, before you judge someone, you need to walk a mile in their shoes. There’s a lot of truth behind this. In the business world in particular, being able to truly understand your colleagues’ experiences, challenges, and thought processes is instrumental for any productive collaboration.

For IT decision makers (ITDMs) and the executives in the C-suite in particular, this is nothing but good advice.

Why? Because there are some significant gaps between these two groups of people.

Case in point, a recently published survey taken by members of the C-Suite and ITDMs shows how they are not in step with each other. In particular, it’s how they assess cyber threats, costs, and areas of responsibilities.

According to the survey, among the most noticeable disconnects, one third (35 percent) of C-suite executives believe IT teams are responsible for data breaches.

Conversely, one half (50 percent) of IT decision makers consider a data breach to be the responsibility of their senior management team.

Should the inevitable breach happen, there’s going to be a lot of finger pointing.

Other key findings included:

  • Even though 80% of the C-suite believe cybersecurity is a significant challenge facing their business, only half of ITDMs thought the same
  • The cost of a cyber breach is estimated by ITDMs to be $27.2 million, more than four times the amount noted by executives ($5.9 million)
  • And while half of the C-suite thinks an attack would be successful due to employee mistakes, less than one-third of ITDMs would point fingers at end users

The gaps between IT experts who focus on the technical infrastructure and executives in the C-suite who form business strategy shouldn’t be a surprise to anyone. These groups think differently about cyber threats and how they translate into the IT infrastructure and the business itself.

Even though executives in the C-suite are charged with mitigating risk to the business, they don’t necessarily see their IT infrastructure as part of that business, but more like the technology that lies underneath it.

The CIO is the Common Denominator

There’s one person in particular who has a place in the C-suite while being able to fully appreciate the trials and tribulations of any IT team. That person is the CIO. To get closer to the source, I spoke to a few of them to see what they’ve experienced and recommend.

I first spoke with a CIO who works at a large nearby communications firm for his perspective, and he had this to say: “As a member of the C-suite, I understand our business problems and customer challenges. Among my peers, however, the ecosystem of IT is a different story as there’s a distinct lack of understanding on how things work. I need to be very methodical and descriptive to make sure there’s a good understanding of what the technology we need costs to be secure.”

Ian Pitt, our CIO here at LogMeIn, had this advice for his peers: “An organization can only adopt a productive and successful cyber security program when the culture, budget, risk, scope and the willingness all meet and align. If any of these elements are missing, the CIO will fail to effectively change the security stance of the organization.”

When approaching cybersecurity, it’s crucial that executives are behind the plan. Without support across all arms of the organization, any policy will struggle to flourish, or deliver the best results.

The Need for Alignment on Cyber Threats

When it comes to cyber security, it’s difficult to balance business priorities. For example, an IT security program might need a certain amount of budget to defend the organization, while the compliance program can get more attention because of regulatory deadlines.

And with corporate governance and compliance falling more squarely into the C-suite, the result can often leave IT teams short on resources to fight the threats that face the business.

In a recent Harvard Business Review webinar, Colin McKinty, VP of Cyber Security Strategy at BAE Systems advised IT decision makers to embrace the following best practices to align with the C-suite:

  • Include the C-suite in incident response table-top exercises so they fully understand their roles, and all the possible costs of an attack.
  • Know your enemy and your cyber exposure, educate the C-suite and employees alike, and use real examples of what can be found around your organization.
  • Introduce a forward looking, strategic approach to cyber defense and assume that at some point your organization will be breached.

When it comes to cybersecurity in particular, ITDMs need to consistently review their abilities

to detect and respond to threats. The goal should be to reduce the time it takes to discover a threat so that the proper amount of time can be taken to contain and remediate any unwanted consequences.

With a more strategic view, and pragmatic one based upon the assumption that getting hacked is inevitable, ITDMs can bring the C-suite into the process and help them truly understand that a reactive stance to cybersecurity can be just as important as a proactive one.

Empathy as a Driving Force in Business Communication

The concept of empathy might contradict what people think about a traditional workplace with competitive and cutthroat qualities. But the reality is that executives need to relate to the people around them, including their IT experts, and that requires empathy.

More often than not, people talk at each other instead of making a distinct effort to listen and discover new opportunities for collaboration. A key catalyst for change is open, two-way communication.

At the end of the day, it’s hard to walk in someone else’s shoes if you never get up from your desk. Cyber threats and attacks may very well be the motivation for ITDMs and the C-suite to find commonalities, increase understanding, and make decisions based upon collective intelligence versus the constraints of their own personal and professional experiences.