Data breaches and security incidents continue to plague enterprises, yet a surprisingly low percentage of these enterprises are actually taking proactive steps to improve their overall IT security posture. According to a new AttackIQ report based on Ponemon Institute research, 63% of IT security leaders do not report to the board of directors on a regular basis, and 40% do not report to the board at all. Moreover, as the AttackIQ report demonstrates, a majority of enterprises still have a reactive, incident-driven approach to IT security that leaves them very vulnerable to outside hackers.
Lack of board involvement and accountability
Given all the headlines that data breaches and cyber hacks continue to generate on a regular basis, you would think that C-Suite leaders (especially security leaders, such as the CSO) and board members would take a more active and involved role in guiding their company’s cyber security strategy. However, based on the Ponemon survey of 577 IT and IT security practitioners in the United States, that is not yet the norm. Nearly 4 in 10 IT security leaders (40%) do not report to the board at all, showing a clear lack of accountability. And 14% of IT security leaders only report to the board following a security incident. By then, of course, it’s too late to do anything.
Moreover, even when the board of directors is kept in the loop regarding cybersecurity issues, they are not doing anything about it. According to the Ponemon survey, 28% of IT security leaders say that the board of directors or the CEO determines or approves an acceptable level of cyber risk for the organizations. And 21% of IT security leaders say that the board or CEO requires any form of cybersecurity due diligence in the mergers & acquisitions (M&A) process, meaning that a company might unknowingly be introducing a hazardous level of cyber risk into the enterprise with every new M&A deal.
The picture that emerges from these survey results is that C-Suite executives and board members simply are not accepting any form of substantial responsibility for cyber risk within the enterprise. As a result, IT security issues are essentially compartmentalized within one or two departments, and senior leadership and other enterprise leaders are simply not aware of what’s happening, or how exposed the company’s data assets and mission-critical processes might really be. This sends the message that IT security is not important.
Reactive instead of proactive approach to cyber risk
The AttackIQ/Ponemon survey also looked into how proactive IT security leaders were in guiding cybersecurity strategy, tactics and best practices. Here, too, it appears that IT security leaders are coming up short. Instead of regular monitoring and analysis, they are largely resorting to a reactive, incident-driven approach. In other words, for most organizations, security is only an issue if something bad happens. If not, then it’s business as usual. For example, 69% of IT security leaders said their organizations had a “reactive” approach to cyber security, and 63% said that IT security leaders need better monitoring tools. So, it’s not just a case that organizations are lackadaisical about cyber security, but also that they simply do not have any visibility into the types of risks that they might be facing.
Of course, skeptics might say that, since AttackIQ offers continuous security monitoring and validation tools and technologies, it has a clear vested interest in highlighting all the weaknesses in enterprise-level organizations. That might be true, but the fact is that a lack of monitoring and analysis is directly correlated to the overall level of risk. In short, the less you monitor, the more potential risk you face. To make that clear, more than half (56%) of those surveyed said that their IT security infrastructure had gaps in coverage or other weaknesses that were vulnerable to attackers.
The need for better metrics and measurement tools
Finally, the AttackIQ/Ponemon study looked at the metrics and measurement tools used by IT security leaders to gauge their overall level of risk. As might be guessed by now, these tools left a lot to be desired. For example, only one-quarter (24%) of respondents said that they had a “mature” measurement and metrics program, and another 30% said that they had a “partial” measurement and metrics program. Everyone else, it appears had, at best, a patchwork measurement and metrics program. In fact, 40% of IT security leaders said that they do not quantify or track their IT security posture, and only 39% of those that do actually report their findings to the board of directors.
A clear lack of accountability for IT security leaders
The picture that emerges from the Ponemon study is that there is a clear lack of both accountability and responsibility at a majority of organizations. Nearly half of organizations don’t measure and track their overall cyber risk profile, and of those that do, few report it to the board of directors. Meanwhile, C-Suite executives are focused on other (presumably more profitable) aspects of the enterprise, and don’t have the time or inclination to learn about cyber issues. As a result, most organizations have a reactive rather than proactive IT security posture, limiting their overall effectiveness and efficiency in responding to cyber threats.
So what can organizations do to correct these problems? The easy answer, of course, is “more tools and technologies.” But organizations are already spending, on average, $18.4 million per year on cyber investments. And they already have a bundle of tools at work – on average, says Ponemon, organizations deploy 47 different cyber solutions and technologies. So it’s easy to say that simply adding Technology No. 48 on top of your IT security stack is going to provide very little incremental value.
Instead, what’s needed is a new corporate culture that values and respects security. And this, according to Ponemon, can only happen if board members and the CEO make it a priority: “Enterprise culture is formed at the top.” Just imagine all the cascading effects if every board meeting opened with a review of IT security profiles, if IT security leaders had weekly meetings with the CEO, or if IT security leaders had greater access to resources (financial, tech and staffing). That might be what is needed if organizations are going to keep up in a very complex, constantly changing cyber threat environment.