Kaspersky study reveals basic cybersecurity terms unfamiliar to top managers

Many business executives prefer not to admit a lack of understanding when discussing cybersecurity issues. A recent Kaspersky study also revealed that up to a third of top managers in the UAE & Saudi Arabia are unfamiliar with such terms as DDoS, cryptominers, or backdoors.

While keeping cybersecurity in mind with every business decision has already become the norm, many executives lack confidence that their cyber spending is being allocated to the most significant risks their organization is facing. Kaspersky conducted its own research to help IT and C-level find common ground and explore the root of their misunderstandings.

The Kaspersky poll indicates that C-suite sometimes struggle to understand their IT security peers and are not always ready to show their confusion. In the UAE and Saudi Arabia, 23% of non-IT executives say they would not feel comfortable flagging that they don’t understand something during a meeting with IT and IT security. 35% of them hide their confusion and prefer to clarify everything after the meeting themselves, 37% don’t ask additional questions because they don’t believe the IT peers will be able to explain it in a simple way. Almost half of them – 48% – feel embarrassed revealing they don’t understand the topic and 47% don’t want to look ignorant in front of IT colleagues.

Also, even though all surveyed top managers regularly discuss security related issues with IT security managers, 24% would not be able to explain what a botnet is, 28% would not be able to explain what is an APT and 32% – what is a DDoS attack. At the same time Spyware, Malware, Trojan and Phishing appeared to be more familiar for top-mangers.

[UAE & KSA] Which of the following statements best describes your knowledge and understanding of the following threats?

Some top managers admit they have never heard of cybersecurity terms like DevSecOps (10%), ZeroTrust (10%), Threat Intelligence (7%) and Pentesting (6%).

“Non-IT top management do not have to be experts in complex cybersecurity terminology and concepts and IT security executives should keep this in mind when communicating with the board,” comments Sergey Zhuykov, Solution Architect at Kaspersky. “To establish efficient cooperation CISO should be able to focus C-level attention precisely on meaningful details and clearly explain what exactly the company is doing to minimize cybersecurity risks. In addition to communicating clear metrics to stakeholders, this approach requires offering solutions instead of problems.”

To ease the communication between IT security and business functions within the company, Kaspersky recommends the following:

IT security should be positioned as a driver for growth and innovation in the organization. To achieve this the IT security team should move away from prohibitive tactics and rather explain how the business can achieve its goals while mitigating cybersecurity risks.
CISO should actively engage in operational activities and build relationships with the company’s stakeholders. While fewer than 20% of CISOs have established partnerships with key executives in sales, finance, and marketing, it is hard for them to stay abreast of the needs of the business.
When communicating with the board, use arguments based on an overview of threats by experts, your company’s attack status and best practices.
Explain the board what the main responsibilities of IT security team are. If possible, provide them with an opportunity to walk in a CISO’s shoes to get insights on the most relevant IT security challenges.
Allocate cybersecurity investments in tools with proven efficacy and ROI. This means tools that lower the level of false positives, and reduce times of attack detection, the time spent per case and other metrics are important to any IT security team.