Research just published by the Ponemon Institute suggests that there is a disconnect between IT security professionals and their CEOs/board members.
The report, entitled `Cyber Security Incident Response: Are we as prepared as we think?', was commissioned by Lancope and also concludes that many organisations are poorly prepared for dealing with cyber-attacks and their aftermath.
SCMagazineUK.com caught up with Tim Keanini, Lancope's CTO, to discuss the report's findings and he said that C-level executives are beginning to realise that modern cyber crime goes significantly beyond what most organisations have security systems in place for.
Keanini says that even the largest organisations can be caught out. As just one example, he says that Sony was "run over" on the data breach front some eight or nine times in various shapes and forms over the years.
At the company level, the Lancope CTO says that Computer Security Incident Response Teams (CSIRTs) in major enterprises also frequently lack the security resources necessary to fend off the steady stream of advanced threats facing their organisations.
"We also have a perfect storm developing in that you no longer need to be an advanced cyber criminal to plan and carry out these attacks. You can now rent this knowledge - and attack services - online for as little as $20 an hour," he said, adding that a growing number of business being targeted are operating on increasingly narrow profit margins, meaning they lack the budget to secure their systems against a breach.
This situation, he explained, is turning the security threat into a business continuity issue - and an issue that does not just involve the IT security department, or the board of company in isolation.
"It's an entire company issue," he told SCMagazineUK.com, "and one that involves all departments from HR, all the way to accounts.”
Keanini adds that the CEO disconnect issue is that organisations must counter not least because security communication is becoming a very serious issue. Indeed, the Ponemon study found that 80 per cent of the 670-plus survey respondents did not frequently communicate with executive management about potential cyber-attacks against their organisation.
The report also notes that 68 per cent of respondents say their organisation experienced a security breach or incident in the past 24 months.
And with 46 per cent reporting that another incident is imminent, Keanini says there is a clear disconnect between the people who have to deal with defending against - and dealing with the aftermath of - an attack, and the rest of the staff in a given company.
Delving into the report reveals that some data breaches are remaining unresolved for as long as a month and whilst most organisations said they could identify a security incident within a matter of hours, they revealed that it takes an entire month on average to work through the process of incident investigation, service restoration and verification.
Keanini says those security budgets are a major challenge in most companies. The report backs this up, as half of the study respondents said that fewer than 10 per cent of their security budgets are used for incident response activities. Furthermore, the majority of respondents added that their incident response budgets have not increased in the past 24 months.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, was also damning in his observations, although he said that companies are not always making the right investments in incident response.
One recommendation, he suggests, is for organisations to elevate the importance of incident response and make it a critical component of their overall business strategy.