News

Being an IT decision maker increasingly means focusing on security issues.

We have a panel of respondents that we talk to all the time, and they paint a picture of a constantly-changing role. Other parts of the organisation are increasingly procuring their own technology services, and innovative technology projects don’t necessarily involve the IT department.

They can see their territory shifting. And they are becoming increasingly protective and proud of what remains. Security is a big part of that territory, and it’s something they think a lot about.

During February, we asked 500 of our panellists in the UK, France, Germany, and the US how they personally ensure that their companies remain secure, and how confident they are in their company’s security.

Although they try their hardest, it’s a tough frontier.

The good

The IT department would be struggling if their security systems were not kept updated. Most are doing fine at this - 95% of the 500 people we spoke to said that they’re confident to some degree that software, hardware, and processes are up-to-date. But only a minority are totally confident though (43%), so while they’re doing ok the techies themselves may be too stretched to be totally confident.

The decision makers are trying to improve this, though. More than half update their cybersecurity knowledge at least weekly, and 22% do so every day.

If you’re a marketer and wondering how to get your products and services in front of those IT decision makers, here’s the juicy bit: they’re most likely to keep up-to-date on cybersecurity issues by looking at:

• Specialist online publications (69%)
• Content from experts and analysts (69%)
• Content directly from vendors (65%)
• Content in specialist print publications (44%)
• Content from peers (44%)
• Anonymous content on social media and online forums (10%)

The authoritative stuff comes from specialists and vendors, not necessarily peers. Useful to know.

The bad

Although IT decision makers are diligently keeping up with security trends and making sure the company’s systems are updated, all that knowledge is siloed. It’s not even necessarily being shared amongst the team. Talking to our respondents this month, there’s definitely a sense that they might be refreshing their knowledge regularly, but that’s on an individual basis.

The result of knowledge not being shared? If one person is out of the office for whatever reason, it creates a gap in the organisation’s security.

We asked everyone what would happen to security processes while they go on annual leave. Less than half - just 45% - said they are totally confident that those processes will be managed and adhered to.

If one person goes on holiday, the company becomes vulnerable.

The ugly

But still, people in these IT departments try their best. They want to understand how to best protect their systems from any vulnerability, and they want to understand how attackers might try to gain access.

Extraordinarily, this means that many of the people we spoke to - all of whom are decision makers - are downloading and and using hacking tools themselves.

We asked about ten common hacking tools, including things like Nmap and Luckystrike. A third of respondents or more have used each of them, and almost half have used SQLmap.

Although they might not always be using these tools on work systems and on work time, downloading and using dubiously sourced programs designed by people with less than noble intentions could present a massive risk. There’s no suggestion that IT decision makers aren’t being careful, but the risk is always there.

Final thoughts

These snippets of data tell us an awful lot.

IT decision makers are doing their best, but they’re seemingly working on security individually rather than as a group. They need to find ways to share that knowledge and tackle security issues collectively rather than acting as lone rangers.

It might be easy pickings for vendors to target individuals to market to and offer advice, and the data here shows that this group trust and seek out vendor advice. But looking for ways to talk to entire groups in an organisation is likely to be more meaningful to that company in the longer term.

Interested in receiving news like this in your inbox? Sign up for our monthly newsletter here