C-level cyber-awareness: the disconnect
Bridging the gap between executive awareness and enterprise security requires teams to provide greater visibility into programme performance and regularly communicate about emerging threats says Matt Middleton-Leal
Matt Middleton-Leal, regional director of UK & I, CyberArk
Attacks on enterprises by cyber-criminals show no sign of slowing and IT teams are stretched to capacity trying to get ahead of advanced threats. The Bangladesh Central Bank (BCB) and VTech are among the companies that have suffered a data breach in just the past few months. Breaches have huge impact, not only on customers whose data is exposed and at risk, but also on the companies, which are often penalised financially and suffer severe consequences in terms of their reputation. Indeed, it has now been revealed that the head of the BCB, Atiur Rahman, resigned following the loss of more than US$100 million (£70 million).
As CEOs and the board are increasingly pushed to take responsibility for data breaches, inevitably cyber-security strategies are rising up the boardroom agenda. According to recent industry research from Dimensional Research*, there is a clear disconnect between those holding the purse strings and those with direct responsibility for managing IT security programmes.
With 60 percent of respondents believing their organisation could be breached, businesses are aware of the cyber-security threat, but it's thought that there isn't yet enough coordinated insight – or action – to sufficiently mitigate against it. Sixty-two percent of respondents believe that CEOs didn't know enough about cyber-security, 69 percent thought that cyber-security was too technical for the CEO and 44 percent questioned their CEO's ability to grasp the severity of today's risks. Despite this, those higher up in an organisation often have the final say over budget and security strategy, which with inadequate visibility about the risks and security precautions in place, could be the difference between a company fending off an attack to suffering the consequences of one.
General awareness doesn't equate to robust security
Arguably, to be better prepared to limit damage from a cyber-attack, CEOs and the board need to be more thoroughly briefed on security, especially as it's generally accepted that it's a case of ‘when' a company is breached, rather than ‘if'. From our research, a third of CEOs are still not regularly briefed on cyber-security issues, despite the related risks to the business. What's more, 43 percent of management teams don't receive security status reports; indicating there may not be adequate prioritisation of security risks among senior leadership.
For those who are briefed on IT security, it's important to understand exactly what is being reported. With 79 percent of respondents in the research providing compliance and audit finds as a measurement of their security programme's effectiveness, CEOs may be being lulled into a false sense of security. Ticking a box for compliance purposes completely removes the context of the situation and the duty a company has to treat data responsibly.
A well performing security programme
It is essential that a proactive, multi-layered security programme is put in place to counter the threat of cyber-criminals. This needs complete buy-in from employees, IT teams as well as the CEO and board; taking into account effective security measures such as risk metrics and threat detection analysis. After all, CEOs can only make decisions using the information they're equipped with.
As part of this, the IT team needs to be prepared to walk the CEO through breach examples and explain common exploits and vulnerabilities while educating on IT security fundamentals as a critical step in improving an organisation's overall security posture.
The survey identified several areas for improving organisational security, including identifying endpoint security and privileged account security as the top two organisational security priorities over the coming year. Privileged accounts are a common target in almost all data breaches, as they allow the attacker maximum access rights within the organisation's network if compromised. It stands to reason, therefore, that securing these particular accounts should be a high priority for the organisation, rather than traditional perimeter-based security, which isn't an effective defence for keeping hackers off the network.
It is only when armed with the right information about how cyber-security programmes are performing that an organisation can get a more realistic view of their risk profile in order to take action. Bridging the gap between executive awareness and enterprise security requires teams to prioritse cyber-security risks and what needs to be protected, and establishing a business case for more effective mitigation techniques – including an assessment of cyber-security skills and budget. By providing greater visibility into programme performance and regularly communicating about emerging needs, IT security professionals will gain the support of the executive team and in turn help their organisation become more proactive in protecting against advanced threats.
*“The Gap Between Executive Awareness and Enterprise Security” survey was conducted by Dimensional Research. The study, commissioned by CyberArk, surveyed 204 global IT security professionals.
Contributed by Matt Middleton-Leal, regional director of UK & I, CyberArk