When It Comes To Security, Data Loss Most Concerns CEOs: Study

These and other findings were released in a study Wednesday, conducted by the privacy research firm Ponemon Institute and sponsored by IBM, titled "The Business Case for Data Protection: A Study of CEOs and other C-Level Executives in the United Kingdom."

Altogether, the study surveyed 115 C-level business executives in the U.K. in an effort to discern how top managers regard the value of privacy and data protection efforts within their organizations.

Among other things, the report indicated that the looming threat of data breaches is top of mind for C-level executives, and will likely drive continued investment in security products and strategies at the management level.

According to the research, more than three-fourths (77 percent) said that their firm has experienced a data breach at some point, while all respondents said that they have had their data attacked in the last year. In addition, 76 percent of those surveyed said that eliminating or reducing security vulnerabilities within their business- critical applications -- which are typically targeted by external threats -- was the most important aspect of their data protection program.

The report indicated that a dwindling percentage -- 18 percent -- of C-level executives said they are confident that their organization would not experience a data breach within the next year. However, an overwhelming majority (81 percent) said investing in a comprehensive security strategy could greatly reduce the risk of data loss or theft.

One of the biggest reasons for this heightened awareness for data protection at the executive level was due to greater concern over their company's brand or image. According to the study, 51 percent of C-level executives believe the purpose of data protection programs was to strengthen their organization's brand.

"They're largely concerned with corporate reckoning, how the company is perceived and how data protects its brand and its image," said Jack Danahy, security executive in the office of the CTO for IBM software group Rational. "It's really interesting and fantastic for readers who care about justifying security."

Danahy said that there was less of a focus on more granular aspects of data protection at the CEO level. In contrast, lower level executives recognized the necessity of data protection in order to meet regulatory compliance mandates.

Another place was where C-level executives and other employees differed was in the perceived sources of risk. At the top levels, 22 percent of CIOs believed that cybercrime and external attacks were the greatest threat to sensitive data, while only 5 percent of CEOs saw cybercrime as the greatest source of risk.

"That really impacts these organizations' views of their protection strategies," Danahy said. "It really talks to the reconciliation at the executive level and implementing level about understanding where the risk is."

Danahy said that the focus on data breaches in the media -- particularly in regards to application security -- also drove increased awareness with top executives.

"If we look at the way in which application risk has changed over the last couple of years, there's been so much more focus on data breach exposure," he said. "All of that is leading to that primary awareness."

And despite a worldwide economic recession, more top executives viewed data protection as something that would provide a strong ROI to their organization, due to the fact that it could potentially save them millions if their critical information or infrastructure was under attack.

"What's happening is more and more people are judging the success of that investment by the level of protection they see to the data," Danahy said, adding. "Whether you're a bank or a retailer, the data is what's driving the efficiency of your business."