Communication Lags Between C-Level Execs and Security Staff
There’s no sign that cyber-attacks on large organizations will abate anytime soon—if anything, these offensives are getting more aggressive and damaging as time goes on. And unfortunately, a lingering gap between awareness and implementing effective security programs leaves many organizations vulnerable.
The good news is that C-suite executives are becoming more aware of the risk to their organizations that cyber-threats represent—after all, boards are increasingly being held accountable, often publically, for security incidents. The bad news is that there’s still an endemic communications breakdown at play between IT and security staff and the executive set, which is preventing the implementation of more effective security postures.
Survey Says…Communications Breakdown
Survey after survey reveals the disconnect between executives and day-to-day security forces inside organizations. For instance, research from CyberArk found that while 60 percent of respondents believe their organization could be breached, one third of CEOs and 43 percent of management teams are still not regularly briefed on cyber security issues and the related business risks.
This is leading to a false perception of the security landscape for the people that ultimately must sign off on security initiatives. IBM Security and IBM’s Institute for Business Value (IBV) found in recent research that 70 percent of CxOs think rogue individuals make up the largest threat to their organizations. The reality is that 80 percent of cyberattacks are driven by highly organized crime rings in which data, tools and expertise are widely shared.
The study found that a broad set of adversaries concerned the C-suite, including 54 percent who acknowledged crime rings were a concern, but they gave nearly equal weight of concern to competitors at 50 percent.
Similarly, 50 percent of CEOs agree collaboration is necessary to combat cybercrime. Yet ironically, only one-third of CEOs expressed willingness to share their organization’s cyber security incident information externally. This exposes a resistance to widespread and coordinated industry collaboration, while hacking groups continue to perfect their ability to share information in near real-time on the Dark Web.
“The world of cybercrime is evolving rapidly, but many C-Suite executives have not updated their understanding of the threats,” said Caleb Barlow, vice president, IBM Security. “While CISOs and the Board can help provide the appropriate guidance and tools, CxOs in marketing, human resources, and finance, some of the most sensitive and data-heavy departments, should be more proactively involved in security decisions with the CISO.”
An overwhelming number of the CxOs surveyed by IBM, 94 percent, believe there is some probability that their company will experience a significant cyber security incident in the next two years. Yet according to IBM’s analysis, only 17 percent of the respondents feel prepared and capable to respond to these threats. And, only 57 percent of companies report they have rolled out employee training that addresses cyber security, a first step in getting employees engaged on cyber security.
So what’s defining this state of affairs? For one, security staff and business planners just aren’t speaking the same language.
IT security professionals in the CyberArk survey revealed a widespread belief that C-level executives don’t know enough about cyber security, with 69 percent of respondents stating that it’s simply too technical for their CEO. In fact, more than half cited the lack of cyber-expertise for the higher-ups as their primary challenge.
But when it comes to alerting C-suite executives about cyber-risk, IT and security professionals are still doing a terrible job, bogged down in technical jargon and a lack of business context.
According to Auriga Consulting, the problem starts with the monopolization of the risk management function by IT and security consultants. According to a survey of large and medium-sized businesses in the UK, board level ownership of cyber risk numbers just 19.4 percent, and only 16.6 percent place cyber risk in the top five on the risk register, despite the severity a realization of cyber risk poses.
This means that communication from the IT team to the board is essential in ensuring that risk is understood, managed and acted upon effectively. But compounding the problem is poor knowledge transference (especially the aforementioned use of jargon, acronyms and buzzwords). This misinterpretation of risk is endangering the decision making process and ultimately future economic development.
Instead, the firm said, risk should be treated as a strategic dynamic process, with a dialogue created and maintained with the board where risk is regularly assessed and adjusted. And so far, that’s not happening.
In a similar vein, according to Osterman Research, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cyber security threats. Only two in five IT and security executives said that they are pressured by the board to provide an accurate report about data breaches and attack attempts; in fact, even fewer say there are repercussions if they do not provide an accurate report to the board.
“Overall, the report shows the board isn't doing its job when it comes to holding their CISOs accountable for providing actionable and accurate information about their cyber-risk and IT—and security executives are not doing their jobs and making sure the information they report is understandable, actionable and accurate,” said a spokesperson for Bay Dynamics, which sponsored the report.
That said, budgetary constraints are usually cited as the No. 1 barrier to implementing cyber security enhancements.
The inaugural Dell Data Security Survey found that 75 percent of business decision-makers have plans to increase current security measures, and more than half expect to spend more money on data security in the next five years. But at the same time, only 25 percent of decision-makers are "very confident" in their C-suite's ability to budget enough for data security solutions over the next five years, because of executive concerns about detracting from other business initiatives. An unfortunate 69 percent of decision-makers still view data security as a burden on their time and budget.
And, among those not increasing security spending at all, cost was the primary factor for 53 percent of respondents.
“The fact of the matter is that non-technical executives are often in control of the purse strings, it is therefore vital that IT security professionals work to ensure that their leadership team fully understand the evolving threats facing their business and that appropriate resources are allocated to implementing a multi-layered and effective security strategy – a far more cost-effective strategy than remaining an easy target for an attacker,” said Matt Middleton-Leal, UK and Ireland director, CyberArk.
Opening Up Vast Security Holes
This state of affairs is translating into real risk. Case in point: Although 83% of IT staff in Mimecast’s Email Security Uncovered global research study highlight email as a common attack vector, one out of 10 reports not having any kind of email security training in place. And, while 64% regard email as a major cyber security threat to their business, 65% also feel ill-equipped or too out of date to reasonably defend against email-based attacks. One-third of respondents also believe email is more vulnerable today than it was five years ago.
This, even as email is the lifeblood of most organizations’ communications with partners, customers and between employees—and represents the primary starting point for attacks, via spear phishing techniques. Spear phishing attacks have been associated with multiple recent high-profile data breaches, including those experienced by Target, Sony and the Pentagon.
A full 90% of respondents in a survey conducted by Vanson Bourne who experienced a spear phishing attack within the past year said that the attacks targeted employees’ email—at a cost that ranges into the millions per incident. The research in fact found that in the past 12 months, spear phishing was responsible for 38 percent of cyber-attacks on their enterprises.
But here’s the kicker: C-suite involvement was the cause of the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security. However, of all IT security managers who were polled, only 15% say their C-suite is extremely engaged in email security, while 44% say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.
“It’s essential that executives, the C-suite in particular, realize that they may not be as safe as they think and take action,” said Peter Bauer, CEO, Mimecast. “Our research shows there is work still to be done to be safe and we can learn a lot from the experience of those that have learnt the hard way.”
Real Costs to Consider
Cyber-incidents are expensive—in case that wasn’t clear. For instance, the Vanson Bourne study found that the average financial cost of spear phishing attacks (in the last 12 months) among the respondents who had suffered a spear phishing attack was $1.6 million. For US businesses, the average cost of spear phishing attacks was $1.8 million.
But the real-world impact of poor security practices goes deeper than that. Home Depot for example has agreed to pay as much as $19.5 million in remediation fees for the 2014 point-of-sale breach, which affected 56 million cards and represents the biggest payment data breach of all time.
Facing two class-action suits, Home Depot has agreed to pay $13 million to reimburse victims for their losses, and $6.5 million to provide them with one-and-a-half years of identity protection services. The retailer also agreed to hire a chief information security officer (CISO). The firm said it now applies enhanced encryption to payment card data, and has been rolling out chip and PIN technology.
In all, Home Depot has reportedly booked $161 million in pre-tax expenses for the breach.
Home Depot isn't alone in paying remediation. Last year, Target agreed to pay $10 million in a settlement over a data breach it suffered in 2013 that affected 40 million cards.
Tips for Making Things Better
It’s clear that key executives need to be more engaged with IT security and CISOs beyond planning for security, and take more active role. And indeed, IBM found that cyber security is viewed as a top concern of 68 percent of CxOs, and 75 percent believe a comprehensive security plan is important. So, organizations have an opportunity to make things better.
IBM identified standout respondents to its survey, classifying 17 percent as “Cyber-Secure” respondents, the most prepared and capable CxOs. “Cyber Secure” leaders are two times more likely to have incorporated C-Suite collaboration into the cyber security program and two times more likely to have elevated cyber security to a regular agenda item at the board level.
Secure organizations evaluate their ecosystem for risks, conduct security risk assessments, develop education and training for employees and incorporate security into the enterprise risk plan. They also establish a security governance program, empower the CISO, elevate and regularly discuss cyber security at C-suite meetings, and include the C-suite in developing an incident response plan.
Edited by Peter Bernstein