BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Enterprise defenses lag despite rising cybersecurity awareness

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 8 Nov 2013 21:47:33 -0700
http://www.csoonline.com/article/742486/enterprise-defenses-lag-rising-cybersecurity-awareness

Organizations are showing more interest in cybersecurity through executive
involvement and higher spending. Nevertheless, the added attention is new
and more resources need to be directed at defending against cyberattacks, a
study shows.

Last year, no information security professionals said they reported to
senior executives. Today, 35 percent report quarterly on the state of
information security to the company board and the chief executive and about
10 percent report monthly, according to this year's Global Information
Security Survey <http://www.ey.com/GISS> from consultancy Ernst & Young.

While the upper echelon is paying more attention, they are still not
spending enough to defend against cyberattackers, who are increasingly more
sophisticated, according to the survey of senior executives in more than
1,900 companies and government organizations.

Half of the respondents planned to increase their cybersecurity budget by 5
percent or more over the next 12 months, yet 65 percent cited insufficient
funds as their number one challenge to operating at a security level
expected by their companies. For businesses with revenues of $10 million or
less, the number dissatisfied with funding rose to 71 percent.

A larger percentage of budgets need to be directed at security innovation
and emerging technologies within the enterprise, such as the use of mobile
devices and social media, the survey found. Over the next 12 months, 14
percent of security budgets are being allocated to new technologies, yet
respondents said they were unsure whether they were ready to handle the
risks posed by corporate use of social media.

"Organizations need to be more forward-looking," Ken Allan, EY global
information security leader, said in a statement.

Data protection is being taken much more seriously within organizations.
Rather than being treated as a line item in a contract or something left to
third parties, as seen in previous surveys, three quarters of respondents
were mandating self-assessments or commissioning independent external
assessments.

As the attention given to cybersecurity grows, so does the need for skilled
professionals. Unfortunately, the available pool of talent is insufficient.
Half of the respondents cited a lack of skilled workers as a barrier to
meeting all security priorities.

The scarcity of talent is not being properly addressed by an increasing
number of executives, the survey found. The percentage of respondents
citing a lack of executive awareness or support rose to 31 percent this
year, from 20 percent in 2012.

"A lack of skilled talent is a global issue," Allan said. "It is
particularly acute in Europe, where governments and companies are fiercely
competing to recruit the brightest talent to their teams from a very small
pool."

To become more efficient in cybersecurity, EY is recommending that
businesses take time to understand the attackers targeting them and then
decide on the defense strategies and technology.

"Look for the trophies that they (attackers) would be interested in and
organize your defenses around that," Chip Tsantes, a principal in EY's
cybersecurity practice, told CSOonline Friday.

Tsantes finds that the digital assets being targeted within an organization
often do not correlate with where organizations are spending their money.

Gathering and sharing intelligence on cyberattackers threatening data,
networks and business processes is an emerging information security
discipline.

A recent survey of security decision-makers found that three quarters of
them rated establishing or improving threat intelligence as a top priority
for their organizations, according to Forrester Research.

In addition, a recent Ponemon Institute report found that enterprises could
reduce annual costs associated with cyber-attacks by 40 percent, if they
had intelligence they could use to bolster defenses.

The need for improve cybersecurity is well established. Forrester Research
found that 45 percent of respondents had experienced a breach at least once
in the last 12 months.

EY found that 31 percent of the participants in its survey had seen at
least a 5 percent increase in the number of security incidents in their
organizations in the same timeframe.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: