For that reason, Jay McLaughlin, chief security officer and senior vice president of Q2 Holdings has lead a program to phish their own employees. "I really do think it's not a matter of if but truly a matter of when that occurs," he said.
But that's not something a company would do if IT professionals and executives were not talking to each other to identify what – and who – was really at risk.
Changing the conversation
Communication is what will get IT professionals and executives on the same page, says Bell.
It's about communication and the need to talk to each other in a language that both understand," Bell says. "IT might talk in terms of updates, breaches and vulnerabilities. The executive team talk about technology in the context of the business."
For IT professionals, that different conversation means knowing what priorities executives have an why. "Sure they think they're communicating what management needs to know to make good decisions, but it's hard," Danahy says, because sometimes priorities are mismatched. A concern for price or efficacy or easiness of deployment might trump how well something actually works.
For executives, they need to start asking better – and deeper – questions.
"Executives won't say 'what have you done and where are we at?' The following question that might be a little bit more for a management professional to ask is 'What are you worried about?'" That, Danahy says, could lead the IT professionals to say what they're spending their most time on, things that might be hidden from the executive view otherwise.
That's especially true if It professionals feel overwhelmed, or helpless, in the security fight. Bell says that's when outside help might need to be called in. "Expert object insight can shine light on the issues fairly rapidly, whether it's penetrating testing, security policy assessment or a system review," he says. "Often this in-house expertise can be missing, especially if the executive board hasn't bought into the importance of security for the business."
Sign up for CIO Asia eNewsletters.