Boards are getting more involved in cybersecurity, but is it enough?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2995091/security/boards-are-getting-more-involved-in-cybersecurity-but-is-it-enough.html


An escalation in the frequency, severity and impact of cybersecurity
attacks damaging corporate operations, finances and reputations is forcing
boards of directors to take more active roles in their company's defensive
posture. However, the level of participation in their companies' risk
mitigation strategy remains lacking, according to new research from PwC.

Forty-five percent of 10,000 CEOs, CFOs, CIOs and other executives PwC
polled said that their boards participated in corporate cybersecurity
strategy, up from 42 percent when PwC conducted a similar survey for 2014,
according to David Burg, PwC's global cybersecurity practice leader. But
given the glut of cybersecurity attacks Burg says the numbers are lower
than they should be. "It is surprising that this number isn't north of 75
percent,” says Burg, who published the data in a new report. “In a world of
connected business ecosystems, you’re only as strong as your weakest link.”

Cyber attacks capture corporate attention

Emphasis on protecting corporate assets has risen dramatically in the wake
of high-profile breaches at Target, Home Depot and other organizations. A
major, targeted attack on Sony Pictures proved terrifying for many
companies -- and heightened board-level interest -- as the attackers
released embarrassing emails. Moreover, the frequency of attacks is
accelerating: PwC survey respondents reported a 38 percent uptick in
cyber-assaults from 2014. The result has business leaders and their boards
rethinking their cybersecurity practices, including funneling $77 billion
on corresponding tools and processes this year. That number will more than
double to $170 billion by 2020, according to Gartner research.

Emerging digital technologies, including IP address-enabled devices under
the Internet of Things banner, will widen the attack surface, forcing
corporate boards to step up their participation in threat mitigation, Burg
says. Some boards are influencing technology selection, process
implementation and budgets. For example, board participation in technology
spending grew 7 percent, to 37 percent from 2014 to 2015, which he views as
partially responsible for the 24 percent boost in security tools. Reviews
of privacy and security risks also grew 7 percent, to 32 percent from 25
percent a year ago.

Stepping up the cyber defense

Meanwhile, with or without the board’s involvement, companies are taking
several measures to better protect themselves beyond such obvious options
as strong encryption.

Cloud services as a trusted security measure. Companies are investing
heavily in cloud tools for data protection, privacy, network security,
identity and access management, real-time monitoring and analytics, and
advanced authentication. Sixty-nine percent of those surveyed say they were
using a cloud-based security service, and 56 percent cited real-time
monitoring and analytics as their preferred line of defense.

Advanced authentication: Many banks and credit card providers support
Apple’s Touch ID technology, allowing consumers to access their mobile
application by pressing a finger to the iPhone’s fingerprint scanner. USAA,
a financial services and insurance firm that caters to military veterans
and service members, uses facial and voice recognition and fingerprint
scanning for customer access to its mobile apps. Starwood Hotels & Resorts
allows preregistered hotel guests to bypass the check-in desk and tap their
smartphone or Apple Watch to unlock hotel room doors. Ninety-one percent of
companies say they are using some form of advanced authentication to
replace the traditional password credentials.

Security frameworks: Security frameworks, such as ISO 27001 and the U.S.
National Institute of Standards and Technology Cybersecurity Framework, are
gaining acceptance among organizations seeking to establish a foundation on
which to mitigate risks. Such frameworks help companies identify and
prioritize risks, gauge the maturity of their cybersecurity practices and
better communicate. The Canadian Imperial Bank of Commerce has developed a
scorecard based on framework controls that it uses to measure the maturity
of its security program, according to the PwC report. Burg says 91 percent
of organizations have adopted a security framework to hedge against risks.

Strength in numbers: Most companies – 56 percent surveyed -- are partnering
with one another, sharing threat intelligence with others as a collective
defense. Most organizations say such collaboration allows them to share and
receive more actionable information from industry peers, as well as
Information Sharing and Analysis Centers (ISACs). Burg says information
sharing got a boost earlier this year when President Barack Obama signed an
executive order that encourages collaboration among public and private
organizations through Information Sharing and Analysis Organizations
(ISAOs) designed to be more flexible than ISACs.

“ISAOs will fill certain gaps that current groups do not address and
ultimately play a valuable role in contributing to a national cybersecurity
immune system,” says Burg. He says PwC is currently working with
stakeholders from the White House, industry and academia to improve the
ISAOs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!