Are CISOs too confident?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/secworld.php?id=17047

CISOs and IT managers may be too confident in their capabilities to ensure
their organizations security and defenses against a data breach, according
to Courion.

A majority (63%) of IT security managers believe it is 'easy' to govern
staff access rights and privileges, despite the fact that 42% admitted they
either do not have or are unsure of their ability to monitor and prevent
breaches caused by accidental or deliberate staff actions.

This overconfidence in the face of an apparent lack of expertise is
concerning, given that 1 in 4 of the respondents cited staff failure to
follow access policies as the greatest threat to their organization's data
security, just slightly ahead of professional hackers.

The survey also confirmed the pressures IT managers and CISOs face in
managing data security, with 45% saying their organisation had suffered a
data breach. Any confidence they may exhibit masks fears over job losses
(42%), severe reprimands (41%) and demotion (34%) if their organisation
suffered a data breach.

And it seems UK IT security executives are looking for help from within the
organisation, with mixed results. 43% of respondents feel they could have
better relations with human resources in managing staff access rights and a
majority (59%) don't feel confident or are unsure they get enough help to
make dealing with insider threats easier.

In fact, a recent separate Courion study into staff attitudes to IT
security suggests staff can be ambivalent about how they use their access
rights - for example, 39% share work login details with colleagues and 1 in
5 of UK professionals would snoop on sensitive personal data if they have
access to it.

Courion CEO Chris Zannetos commented, "Like elsewhere, UK CISOs and IT
managers are under immense pressure to prevent data breaches. What's
striking is many are finding it difficult to get the support needed to
appropriately address insider threats. IT infrastructures have become
increasingly complex as the access needs of users constantly change. This
makes it challenging for CISOs and IT managers to understand, and as a
result effectively communicate, exactly where business risk lies.

"We recognise the need to help our customers in their efforts to convey
critical access-related risk in business terms. Our new service offering,
the Access Risk Assessment, gives them the insight they need to begin to
proactively identify and eliminate risk," he added.

The survey polled 100 senior IT security professionals including CISOs in
companies with more than 500 employees.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!