Cybersecurity is a necessary investment by organizations of all shapes, sizes and industries.  Studies continue to show a disheartening fact: Chief Information Security Officers (CISOs) are still unheard by the board and are missing at board of directors’ meetings.

A recent study by industry experts, ISACA and RSA Conference, reveal that 82% of cybersecurity and information security professionals report that their board of directors is concerned or very concerned about cybersecurity, but only one in seven (14%) CISOs reports to the CEO.

It’s hard to say whether business executives are really taking cybersecurity seriously or just saying they are.  The fact that a majority of CISOs continue to report to the Chief Information Officer (CIO) and not the C-Suite shows that cybersecurity is still being viewed as a technical issue and not a business one.

Additional findings by the study worth mentioning:

  • 74% of security pros expect a cyberattack in 2016 and 30% experience phishing attacks every day.
  • 75% of security pros are confident in their team’s ability to detect and respond to incidents.  Although this is a good sign, this number has declined from last year’s confidence level was at 87%.  This means that within a year, instead of growing confidence, security pros have less confidence in their ability to protect their organization.
  • 24% of security pros don’t know if any user credentials were stolen in 2015 and the same percentage doesn’t know which threat actors exploited their organizations.
  • 23% of security pros don’t know if their organization has experienced an advanced persistent threat (APT) attack and 20% don’t know whether any corporate assets were hijacked for botnet use.
  • Six in 10 security pros don’t believe their staff can handle anything more than a simple cybersecurity incident.
  • The number of professionals who indicate that fewer than half of job candidates considered are “qualified upon hire” has increased from 50% to 59% in the last year; and the fact that organizations need six months to fill a cybersecurity position has also gone up from 23% in 2014 to 26% in 2015.

These findings highlight another set of challenges organizations have yet to overcome besides the CISO/C-Suite communication problem:

  • Security pros aren’t sure if they can detect and respond to incidents.
  • Security pros don’t know what’s going on with their data and don’t have eyes on the organization’s network.
  • The level of confidence in staff is low and training isn’t making it better.
  • Last but not least, finding experienced security staff hasn’t gotten any better from last year.

Solutions to these persistent cybersecurity challenges, that essentially should be improving instead of the opposite, start with awareness that just increasing one’s budget isn’t going to be enough when security is much more than technology and training or awareness.  Where and how you allocate that budget makes a huge difference.  It takes the security professionals (CISOs and CIOs) within the organization to open and unrestricted communication with the CEO and C-Suite to help them understand the issue as a whole and what resources are need to address is appropriately.  It takes understanding that risk management is a process in itself that has to be applied at all business levels.  Business leaders must recognize the need for external security expert support when in-house resources are limited.

Vulnerabilities are growing by the minute with the increase in digital and online business operations.  The level of cybersecurity is not keeping up with making the advances necessary to defend an organization’s data and overall structure.  Although businesses are trying to improve their security posture, there is still much that can be done.  The sooner organizations understand where they stand with security and what they need to be proactive and defend themselves, the sooner they reduce their risks of a breach and/or cyberattack they won’t be able to come back from.  The best place to begin is to answer the following questions:

When was your last security assessment?  How confident are you with the security measures you’ve put in place?  Have you considered an outside assessment to verify where you stand?

 

Get in touch if you would like to be confident in where your security stands.

Photo courtesy of Maksim Kabakou