CEOs still don't get cyber security, study finds

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/ceos-still-dont-get-cyber-security-study-finds/article/344572/

In the first of a two-party study sponsored by Websense, Ponemon Institute
surveyed 4,881 experienced IT and IT security practitioners across 15
countries across the world, and found that not only were C-level executives
unaware of the security risks, but that infosec practitioners themselves
were finding it hard to keep up with cyber-criminals.


Approximately 80 percent of respondents said that their company's leaders
"do not equate losing confidential data with a potential loss of revenue",
despite Ponemon indicating that the average cost of an organisational data
breach is approximately £3.2 million ($5.4 million).


In addition, just under half of global respondents (52 percent in the UK)
said that their board-level execs had a subpar understanding of security
issues. Although this number has not been measured in previous studies,
analysts believe that “cyber security awareness has most likely increased
over the last few years."


Despite this, Websense EMEA strategist Neil Thacker admitted that there is
work to be done in order to get C-level onside with cyber security.


"I see a lot of professionals in the dark at the moment," he said
generally, an observation backed up by the report's finding that less than
half (41 percent) of respondents (35 percent in the UK) believe they have a
good understanding of the threat landscape.


"We need to bring them out [of the dark] so they understand what the latest
threats are," he added.


On the C-level awareness, Thacker further added that the 80 percent figure
is a "huge worry" not least with the EU Data Protection Regulation changes
just around the corner. That said, he expects the proposed changes - which
will see data breach fines of up to  5 percent of global revenues - to
raise awareness.


"This will make it more of a discussion at boardroom level. Data and data
losses will become a top-line level," he told SCMagazineUK.com.


He goes onto added that it's up to CSO and CISOs to establish what is the
confidential data, and the likelihood that being lost, in order to get
budget and resources from the boardroom. He advises that spending goes on
'layered' security and improved threat intelligence, something he says
remains an issue.


"There is a general lack of knowledge on the best place to get threat
intelligence," he said while noting that researchers at Websense - as well
as ENISA (where he is a member) have noted "some improvement" in this area.
The Ponemon study finds that over half of respondents (59 percent
worldwide, 58 percent UK) do not have adequate intelligence and, perhaps as
a result, are unsure about attempted attacks.


SIEM solutions are however not the way forward, according to Thacker, who
adds that most businesses are ‘struggling' to find its value on a return on
investment (ROI) basis. Instead, he says that firms are looking at big data
security analytics and other solutions that do more than just detect
threats.


Other headline figures from the study including the finding that 57 percent
of IT pros do not think that their organisation is protected from cyber
attacks, with 63 percent doubting if they can stop the exfiltration of data.


Forrester analyst Andrew Rose is not surprised by the finding that
companies don't feel protected from cyber attacks.


“This is unsurprising as systems have evolved to be multi-layered and
complex. Many organisations will be using multiple systems including
mainframes AS400s and UNIX systems to process their critical business
transactions, often all working together and hidden under a nice Windows
GUI,” he toldSCMagazineUK.com.


“As the systems interact, across different operating systems and protocols,
there are bound to be inconsistencies, translation errors and an acceptable
level of deviance from standards, all of which enable the threats to
interject.”


In response to this news, Clive Longbottom, founder and analyst at
Quocirca, in part blamed the C-level disconnect to those in the information
security industry.


"My take is that [the report] isn't worth the paper it is written on," he
said in an email to SCMagazineUK.com.


"Why? Because security issues have been worded in arcane language since
they first came about – and this has led to the emergence of the Chief
(information) Security Officer," he added.


"This means that the rest of the C-level staff can carry on as they want –
cyber security is someone else's responsibility. Unfortunately, CSO staff
tend to be security specialists – not business specialists, and so get in
the way of business happening, with more of an approach of “don't do this”,
rather than “how can we do this securely?”.



"Security has to be baked in to the business – and not just at a cyber
level.  Security is a business issue, and has to include how people
operate; how information is used (including via telephone, paper and any
other way)."


This study follows another by Turnkey Consulting, which revealed that one
in six IT security pros believe that their organisation sees security
merely as "an unnecessary expense only undertaken to  keep the auditors
happy."


Richard Hunt, managing director of Turnkey Consulting, said at the time:
“It is concerning to see that IT security is still not perceived to be an
integral part of the business.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!