CISOs: Out of tune with information security?
CISOs: Out of tune with information security?

That is just one of the questions resulting from Cisco's latest Annual Security Report, which finds that while 91 percent of the 1,700 respondents (from the UK and eight other countries) are confident in their IT security practises, only half of these are using standard tools like vulnerability scanning, patch management solutions, user provisioning and pen-testing to stop intrusions. Only 10 percent say they are using the most recent version of Internet Explorer.

If that infers there is a disconnection between security in theory and reality, that is further explored in a 50-page report which reveals that CISOs are often more confident in their firm's IT security than their security operations managers.

Approximately 62 percent of CISOs agreed with the statement that their company's security processes are ‘clear and defined' – compared to 48 percent of SecOps managers – while 59 percent of CISOs believed their security technologies were ‘optimised', a view that was only shared by 46 percent of SecOps managers.

Cisco's researchers said that this mismatch could be easily explained: “It's likely due to the fact that CISOs are more removed from day-to-day security activities, whereas SecOps staffŒ are working closely to resolve both major and minor security incidents. A CISO of a very large organisation might not realise that a thousand machines are infected by malware in a typical day, whereas the SecOps manager would have devoted much more time to mitigating the infection, hence his or her less optimistic outlook on organisational security,” reads the report.

“In addition, CISOs may be setting policies, such as blocking access to social media, which gives them the illusion of tighter, more impenetrable security defences. However, by shutting down such channels completely, security teams may lack knowledge or experience of the threats that still exist just outside.”

In addition, the report notes that while confidence in security policies is generally high among both CISOs and their security teams, there is ‘markedly less' confidence in their firm's ability to actually scope and contain a security compromise.

Exec buy-in equals better security

Approximately 91 percent of companies say they have executives directly responsible for security, with this split relatively evenly between CISOs (29 percent) and CSOs (24 percent). Cisco said that this senior accountability always benefits a company's overall security strategy.

“The high level of organisations with a security point person is encouraging: Without security leadership, processes are less defined, communicated, and enforced. It is likely that recent high-profile security breaches have spurred on organisations to carve out a place for security management in their executive ranks,” reads the report.

Cisco's views appear to be backed up by the report's respondents; 91 percent of respondents from ‘sophisticated' companies agree that their company exec considers security a high priority, but only 22 percent of persons from the least sophisticated companies agreed with this statement.

Meanwhile, 88 percent from sophisticated agree security processes are clear and understood compared to 0 percent of least-sophisticated companies.

Patching remains an issue

The most sophisticated information security teams not only have executive input but they've also deployed the right security tools too; 78 percent of sophisticated firms agree that their technologies are well integrated to work effectively together, compared to just 17 percent of less sophisticated outlets.

Despite this, there is the potential for overstating their technical capabilities. 75 percent of CISOs agreed that their tools were ‘very' or ‘extremely effective' and yet the report goes on to note that less than 50 percent are using patch and configuration management, pen testing, vulnerability scanning, user provisioning or identity admin. Fewer than 40 percent are patching, as SC US notes.

These findings follow shortly after a Trustwave report, which revealed that a lot of security technologies end up as 'shelfware' – unused and left on the shelf.

Interestingly, the best security teams are not even necessarily bigger with Cisco saying that the median size teams at both sophisticated and less sophisticated companies is 32.

All the while, cyber-criminals are becoming more proficient and are looking for alternative ways to compromise enterprise networks, according the Cisco intelligence researchers.

Around 1 percent of highly urgent vulnerabilities and CVE alerts were actively exploited in 2014, while threat actors turned web exploits, spam (up 250 percent year-on-year) and JavaScript-embedded Flash malware to conceal malicious activity.

Spam rose 250 percent and there was a considerable rise in snow spam – the process of sending low volumes of spam from a large set of IP addresses to avoid detection and create opportunities to use compromised accounts.

Cyber-criminals say Cisco, have also looked to move away from compromising servers and OS and instead exploit users – often the low-hanging fruit – via browser and phishing emails.

Users downloading from compromised sites contributed to a 228 percent increase in Silverlight attacks along with a 250 percent increase in spam and malvertising exploits, the report adds.

In slightly better news, Java exploits were down 34 percent and there has been no major exploit kit since Blackhole in 2013. More worrying however, 56 percent of firms are running versions of Open SSL that are four-years-old.

On hearing this news, Sophos global head of research and SANS instructor James Lyne told  that CISOs were in an unenviable position of trying to keep pace with modern technology.

“A good CISO will always hedge their bets because they know there's no 100 percent in security. So when they say 'yeah we're secure', you know that's probably not the truth.

“That said, it's a real challenge for a chief information security officer. This explosion of technology, and such a demand for business to adopt, it's harder and harder for a CISO to get in the ebb of flow of good decision making about technology.”

Lyne added that this was further complicated by the fact that CISOs would often be promoted within the business, and would, as a result, have to learn new things like becoming a risk manager. “You've kind of got to be all things to all people,” he added.

John N. Stewart, senior vice president and chief security and trust officer at Cisco, added in a statement that security now calls for a universal approach.

“Security needs an all hands on deck approach, where everybody contributes, from the board room to individual users. We used to worry about DDoS, now we also worry about data destruction. We once worried about IP theft, now we worry about critical services failure. Our adversaries are increasingly proficient, exploit our weaknesses and hide their attacks in plain sight. Security must provide protection across the full attack continuum and technology must be bought that is designed and built with that in mind.  Online services must be run with resiliency in mind, and all of these moves must happen now to tip the scales and protect our future.  It requires leadership, cooperation, and accountability like never seen before in our industry.”

Rob Lay, solutions architect for enterprise and cyber-security at Fujitsu UK & Ireland, added in an email to SC. “Businesses should implement security education down to each individual employee so everyone understands their responsibility in keeping the business safe. Ensuring board-level buy-in and making sure that this is visible to all employees will also help to develop support and engagement for security programmes within the business.  Understanding how security events actually impact and relate to the business is key in spotting a security incident early enough to defend against it.

“Due to the advanced nature of many of today's threats, an effective security education programme is vital in helping to identify and protect organisations appropriately.”

This news follows the KPMG health check which revealed a significant disconnect between infosec teams and the boardroom at FTSE 350 companies. Despite 74 percent of companies believing their boards were giving sufficient focus to cyber-security issues, only 24 percent of board members said they regularly reviewed the risk management of valuable company information and data assets. In fact, 65 percent admitted that they “rarely or never” did so.