Darn good question. But as SC Magazine recently reported, a new report from Ponemon Institute determined that nearly a third of IT security teams never speak with their company's executives about cyber security and of those who did, 23 percent spoke to them only once per year.
This lack of communication and security awareness obviously increases companies' risk of experiencing some kind of attack. Jeff Debrosse, directory of security research at Websense, which sponsored the “Roadblocks, Refresh, & Raising the Human Security IQ” report said in an interview with SCMagazine.com that the "31 percent [of IT teams that do not speak with their corporate executives] will, at some point, find themselves on the front page because they're not having a conversation about insider threats, APTs, etc."
Security teams need to communicate with executives as silence on their part may well be taken to mean everything is fine when it is not. They certainly need to have a presence and be able to defend their budget requests, updating the executive team with what has changed in the world of cybersecurity, which moves very quickly indeed.
The report, which surveyed more than 160,000 IT security professionals in 15 countries to determine the challenges they face in dealing with cyber security threats, also found that 47 percent of respondents felt frequently disappointed with the level of protection their security solution offers, and that 52 percent of companies do not provide cyber security education to their employees. The majority of those surveyed work for financial companies, and the United States and India accounted for the largest portion of respondents.