Bridging the disconnect between perception and reality in cybersecurity

Executives, your company’s cybersecurity is likely not as strong as you believe.

That’s not fearmongering or hyperbole — it’s the cold, hard truth revealed in a new report detailing the alarming gap between how executives perceive their cybersecurity readiness and the stark reality facing IT pros on the front lines.

To put it very mildly, this disconnect has high stakes. The pervasive disconnect between perception and reality is a ticking time bomb that threatens to upend even the most seemingly secure organisations.

Do you really know how at-risk you are?

Owing to highly publicised recent events, global awareness of cybersecurity risks has moved from being buried in the proverbial tech section to the front page. In three-inch font. CISOs don’t have to fight too hard to convince management of the serious public relations and reputation risks that accompany cyberattacks.

Still, increased awareness means very little if it doesn’t translate to a) an authentic understanding of your own company’s security posture and b) necessary improvements.

All too often, leaders feel that their company has a reasonably solid security posture. Here's the stark reality, according to the new report:

· 60% of leaders outside IT feel "very" or "extremely confident" about preventing major security incidents.

· Only 46% of IT professionals share that level of confidence.

The 14-point gap suggests leaders outside IT may not truly understand the financial, operational and reputational risks posed by cyber threats. This should raise eyebrows and alarm bells. Loud alarm bells.

Why are leaders so confident?

Several factors fuel this misplaced optimism. One possible culprit is a need for enhanced technical know-how. Since a nuanced understanding of key terms can be a proxy to executive-level buy-in, we asked both leaders and security/IT professionals how well organizational leaders understand key concepts in cybersecurity. For instance, the research indicates that 55% of IT and security professionals believe that non‑IT leaders don’t understand vulnerability management and 47% of leaders agree – they don’t.

When you don’t understand the problem, you can’t face and fix the problem. And this isn’t a knock on non-IT leaders. It’s a multifaceted issue with shared responsibility. For example, around one-quarter of overall executives view cyber risks as highly damaging to the company’s reputation. Among CISOs, who theoretically have a better grasp than others in the C-suite about the nature and implications of cyber risks, only 15% agree. Chances are, this lower figure reflects a lack of connection between cyber risks and brand presentation, not underestimating the risks.

The "unbreakable" fallacy.

Modern cybersecurity is about smart risk management, not building impenetrable walls. Yet over one in four IT professionals report that ever-changing leadership priorities undermine essential practices like patch management. Without a full understanding of security posture and what’s needed, resources get misallocated.

The common theme here: lack of connection. Call it whatever you want — connection, alignment, shared understanding, collaboration — but it’s all part of the same problem: Companies aren’t prepared as they should be.

Threats are evolving faster than defences

As if the gaps between risk perception and reality aren’t problematic enough, these companies face a moving target. Cyber threats are becoming more sophisticated daily, and it’s hard to keep up even when fully aware and aligned. For those with gaps, the picture is bleak:

· 95% of IT and security pros expect AI to make threats more dangerous.

· Nearly one in three security teams lack a strategy for generative AI risks.

· Almost two-thirds of organisations aren't investing in critical areas like attack surface management and incident response.

It’s time to mind the gap

To address this dangerous disconnect, first, leaders must understand what’s at stake. The numbers don’t lie: Data breaches now cost an average of $4.45 million, up 15% in three years (IBM).[ii] Ransomware payments hit a record $1.1 billion worldwide in 2023.[iii] Companies lose an average of 9% shareholder value after a significant cyber incident.[iv]

Stats like these should grab attention, and then come understanding and action. Here are a few steps that should be on leaders’ radar to close the gap:

1. Elevate security leadership: CISOs should become strategic business partner, not just tech experts.

2. Speak the same language: Translate cyber risks into business impacts executives understand (e.g., brand perception, shareholder value, remediation costs).

3. Educate the C-suite: Implement ongoing cybersecurity training and education for top leadership.

4. Foster dialogue: Create regular touchpoints between IT teams and business leaders, not just the CISO and CIO.

5. Embrace reality-based security: Focus on effective risk management, not perfection. Today’s technology has evolved to include comprehensive, hyperautomated cybersecurity platforms that take a lot of the guesswork out of managing risks, making this process less intimidating than it used to be.

These recommendations are just a starter kit. Every company has unique needs and extenuating circumstances leading to the current disconnect. Whether it’s turnover, budget constraints, misaligned priorities, lack of IT resources or other barriers, the problem won’t fix itself.

Mind the gap. Then, do something about it. Don’t be afraid to ask for help.

Robert (Bob) Grazioli is Ivanti’s Chief Information Officer (CIO), responsible for all of its global IT systems and SaaS Operations.

‍