The Cybersecurity Perception Gap: Why Executives and IT Teams Don’t See Risk the Same Way

Show Notes

Executives say they’re confident in their cybersecurity, but their teams aren’t so sure.

In this episode of Darnley’s Cyber Café, we explore the growing cybersecurity perception gap between leadership and practitioners, why it matters, how to fix it, and what it reveals about the state of cyber resilience in 2025.

 Tune in to uncover how confidence can turn into complacency, and how awareness can become your greatest defence.

Support the show

Subscribe now to Darnley's Cyber Cafe and stay informed on the latest developments in the ever-evolving digital landscape.

Transcript

The Cybersecurity Perception Gap: Why Executives and IT Teams Don’t See Risk the Same Way

Hello everyone, and welcome back to Darnley’s Cyber Café, the place where we brew strong coffee and even stronger cyber-sense. I’m your host Darnley, coming to you from our virtual café where we pause, reflect and dig into the pressing cybersecurity conversations of the day.

 Today we’re going to unpack something that often doesn’t get the attention it should: the perception gap in cybersecurity—namely, why executives and practitioners often view risk very differently, and what that means for the organization as a whole.

Part 1: Setting the Table – What is the perception gap?

Let’s start by defining our terms. A recent article in The Hacker draws on findings from the Bitdefender 2025 Cybersecurity Assessment to illustrate this gap.

 
 Here are the headline figures:

• 93% of respondents (cybersecurity & IT professionals) say they’re “somewhat” or “very confident” in their ability to manage cyber risk as the attack surface expands. 
• Among C-level leaders (CIOs, CISOs etc.), 45% say they are very confident in their organization’s readiness. 
• But among mid-level managers / operational teams, only 19% say they are very confident. 

So you see: executives are more than twice as likely to see themselves as very confident compared to the folks “in the trenches”. That differential — that difference in outlook — is the perception gap.

Why does it matter? Because perception influences what gets prioritized, what resources are allocated, what emphasis is placed on people/process/technology — and if leadership overestimates readiness, you can get under-investment in critical areas.

When leadership overestimates readiness, it can lead to under-investment in people, processes, and technology. I can tell you from my own experience that when sitting in various boardrooms or online virtual meetings, I can account for this perception from leadership.  

Part 2: Why does the gap exist?

Let’s look at a few root causes...

1) Different vantage points
To quote Sean Nikkel, Team Lead at Bitdefender’s Cyber Intelligence-Fusion Cell:

“Think about what happens after a merger or acquisition … you inherit whatever risk the acquired company carried … legacy systems, forgotten shadow IT, outdated processes. Those details are often invisible to leadership but painfully clear to security teams.” 

 In other words, front-line teams deal with the mess, the legacy, the operations. Executives may get reports, dashboards, summary metrics—but may not see every wrinkle, or personally have to deal with each incident.

2) Communication, language and reporting gaps
Martin Zugec from Bitdefender observes: “In my investigations, I often see a completely different version of cybersecurity than what’s being discussed online… there’s a gap between perception and reality.” 

 And Nick Jackson, also from Bitdefender, says: “Mid-level managers handle much of the operational load, while CISOs and C-level leaders focus on strategic planning… Without strong reporting and collaboration, those worlds can drift apart.” 

 So one cause: the strategy vs operations divide. The board/executive team may say “we accept this level of risk”, while operational teams are dealing with every alert, every vulnerability, every incident.

3) Optimism bias and risk appetite
Leaders may naturally have a different risk appetite, and I say this is from their own experience or life lived — they often see cybersecurity as an enabler of business growth, not simply a cost. 

They may believe they already have the right controls, or that their investment is sufficient. But if they rely on high-level metrics without deep operational visibility, they may be overly optimistic. 

d) Resource constraints, staffing, culture
Other research supports this. For instance, a multi-country study (“Managerial Insights on Investment Strategy in Cybersecurity”) finds that while cybersecurity is increasingly seen as a source of competitive advantage, many firms still face barriers: limited resources, talent shortages, cultural resistance.
And another article: “Mind the Gap: Revealing Security Barriers through Situational Awareness of SMB Key Decision-Makers” shows that small/medium business leaders often lack awareness of the detailed threats or control gaps

 Put together: executives may believe they have done enough, while practitioners know the gaps, the legacy systems, the staffing issues, the pressures.

Part 3: The Perception Gap in Practice — What does it look like?

Let’s paint a few scenarios I’ve seen or heard stories about:

• A board approves a budget for cybersecurity upgrades, based on an executive summary that says “we’re compliant, our controls are solid”. Meanwhile the SOC team is overwhelmed with alerts, the backlog of vulnerabilities is high, they’re doing overtime, and incidents keep flickering through.
•  
• Executives believe the risk is “under control” because the dashboard says X% of endpoints are patched, –but the patch coverage doesn’t capture shadow IT, remote devices, or line-of-business apps that aren’t in the standard inventory.
•  
• An organisation embarks on digital transformation, shifts to the cloud, embraces DevOps. Executives say “cyber is baked into this strategy”. But the security teams know the DevOps pipelines were spun up quickly, control gates are missing, logging is incomplete, and shadow services are running.
•  
• Reporting: A CISO presents to the board, emphasising strategy, vision, metrics like “mean time to detect” or “annual incidents” that are stable or improving. But the operations team feels that near-misses are higher than ever, new threat actors are evolving, and the dashboards don’t reflect risk trends. There’s a mismatch.

Also: we see similar patterns in other domains: For example, a recent report found that 71% of executives say AI boosts productivity in cybersecurity, but only 22% of analysts agree. 

This is essentially a perception gap applied to AI in security. So the phenomenon is broader than just “readiness” — it spans tools, staffing, risk appetite, culture.

Part 4: Why it matters — The real consequences

This isn’t just academic. The perception gap has real operational and strategic consequences. Here are a few of my reasons why:

• Mis-allocation of resources: If leadership thinks things are fine, they may deprioritise additional budget for staff, training, upgrades. Meanwhile on the ground the risk is increasing.
• Strategic mis-alignment: If security strategy is formulated without genuine operational input, you may get controls that look good on paper but don’t address the true threat vectors.
• Culture & trust issues: If practitioners feel leadership doesn’t grasp or listen to the real issues, morale suffers; risk gets hidden or under-reported.
• Regulatory/compliance risk: Boards and executives might misunderstand or underestimate risk, which means they may not take accountability seriously. For example, a recent IT Pro article found 91% of cyber-professionals believe that responsibility for security lies with the board, not just the security manager or CISO. 
• Incident response and blind spots: If the executive view is rosier than reality, when a major incident happens you may be caught off-guard, with inadequate resilience, poor backup plans, or missing critical oversight.

So bridging the perception gap isn’t just “nice to have” — it’s a business imperative.

Part 5: How to Close the Gap — Practical Steps

Alright, so we’ve identified the gap and the risks. What can you do? Here are some actionable steps:

1. Shared vocabulary and metrics
   Create metrics that both executives and practitioners care about. For example: number of high-risk vulnerabilities not remediated > 90 days, number of incidents with business impact, number of applications outside approved inventory, etc. Make sure executives understand them and practitioners see how they map to risk.
2. Regular two-way communication
   Encourage front-line teams to present not only positive metrics but also “what keeps me up at night” items. Executives should visit SOC, talk to practitioners, attend war-games, ask “what would we do if X happened”.
3. Risk-appetite alignment sessions
   Ask: what level of risk do we accept? Then map the controls and investment to that. Practitioners need to understand business priorities (speed, innovation, cost) and executives must understand operational constraints (staffing, legacy systems, alert fatigue).
4. Operational transparency
   Don’t hide near-misses. Provide dashboards and narrative context that show “we caught this, but only because of luck; next time we might not”. That builds realism.
5. Budget and resource alignment
   Don’t assume the budget is spent wisely just because a number is green. Conduct maturity assessments, scenario gaming (what if we lose this system), and address people/process/technology together.
6. Strengthen culture and trust
   Foster an environment where practitioners feel heard and executives aren’t insulated. Build cross-functional forums—security + operations + business units—to explore threats together.
7. Train and educate the executives
   Top leaders often need education in cyber risk, threat landscape, business impact. If they lack awareness of operational realities, they won’t bridge the gap.
8. Use external benchmarks and research
   Use surveys like the Bitdefender one I cited, academic research (for example the “Managerial Insights on Investment Strategy in Cybersecurity” study) to benchmark yourself. The more data you have, the less “this is just our opinion”.

Part 6: My Take / Opinion

Now let me share a few thoughts from my side.

• I believe this perception gap is, in many organizations, inevitable unless intentionally addressed. It stems from human nature: executives see strategy, outcomes, headlines; practitioners see process, alerts, detail. Without bridging, you get two different languages and traits of thought. 
• One danger I see: when leadership assumes controls are functioning just because “we’ve bought the tool” or “we patched X % of devices”. But they may not appreciate the hidden risk of shadow-IT, misconfigurations, or human error. So, complacency sets in.
• On the flip side, I’ve seen practitioners become cynical when they feel their concerns aren’t heard. That too causes blind spots—if they stop raising issues because “they’ll just ignore us anyway”. That feedback loop is dangerous.
• A perception gap can also reflect generational or organisational culture differences. Executives may prioritize business agility and innovation, whereas security teams may prioritize stability and risk avoidance. That tension must be managed.
• Finally: bridging the gap isn’t just for big firms. SMEs suffer even more because decision-makers may lack awareness of detailed threat surfaces. The “Mind the Gap” study of SMBs found situational-awareness deficits among key decision-makers. you don’t need thousands of staff to benefit from alignment — you just need alignment.

Part 7: Wrap-Up

So to recap:

• The cybersecurity perception gap is real: executives tend to be more confident than practitioners.
• It arises from different vantage points, communication gaps, resource realities, culture and risk appetite.
• It matters because misalignment leads to under-investment, blind spots, mis-allocation of resources, and ultimately higher risk.
• The way forward: shared metrics, communication, risk-appetite alignment, transparency, investment in people/process/technology, training, culture.
• My view: organisations that treat cybersecurity as just a technical problem will struggle; those that treat it as a strategic business-risk problem and align leadership with operations will fare much better.

Host (Darnley):
Thanks for joining me today at Darnley’s Cyber Café. I hope this episode gives you food (and coffee) for thought. Whether you’re in the C-suite, managing operations, or somewhere in between, ask yourself: am I seeing the same risk landscape as my counterpart? If there’s a gap, it’s time to close it.

If you liked this episode, subscribe or drop a comment about the biggest perception gap you’ve seen in your organization. I’ll see you next time — same café, new topic, always cyber-aware. Stay curious, stay informed — that’s where true power begins.

[Outro Music / Café Ambience]