[BreachExchange] The Disconnect Between Cybersecurity & the C-Suite

[Audrey McNeil]

https://www.darkreading.com/attacks-breaches/the-disconnect-between-
cybersecurity-and-the-c-suite-/a/d-id/1330675


Despite all the attention that massive hacks and other breaches have
attracted in recent years, organizations everywhere still struggle to
comprehend the scale of and manage emerging cyber-risks. Of the more than
9,500 senior executives in 122 countries who participated in
PricewaterhouseCoopers' Global State of Information Security Survey (GSISS)
2018, only 39% say they are very confident in their attribution
capabilities — that is, their ability to detect and trace cyberattacks.

As highlighted in the GSISS report, US infrastructure is still susceptible
to what the World Economic Forum (WEF) deems in its Global Risk Report
2017as the prime business risk in North America: "large-scale cyber-attacks
or malware causing large economic damages, geopolitical tensions, or
widespread loss of trust in the internet."

"All organizations, no matter how prepared they think they might be, need
to verify whether strategic cybersecurity goals are being executed," Grant
Waterfall, partner at PwC and global leader of its cybersecurity and
privacy practice, told me in an interview. "The UN's 2017 Global
Cyber-Security Indexranks the United States among the member states most
committed to cybersecurity, second only to Singapore. And yet the White
House's National Infrastructure Advisory Council wrote in an August 2017
report that many US infrastructure companies are not practicing basic cyber
hygiene despite the availability of effective tools and practices, he adds.

Where Are the CISOs?
Some 40% of GSISS respondents say that disruption of their operations is
the biggest potential consequence of a cyberattack. Another 39% cite the
compromising of sensitive data, 32% cite harm to product quality, 29% cite
damage to physical property, and 22% cite harm to human life as the biggest
by-products of an attack.

Meanwhile, cybersecurity executives are either absent or thin on the ground
in many organizations. Only about half (52%) of respondents say their
organizations have a CISO on the payroll. While 45% say they employ a chief
security officer, another 47% say they recruit dedicated security staff to
support internal business operations.

"Cyber-risk management is a journey—and many organizations are not far
enough along on that journey to realize the need for dedicated senior-level
oversight of these issues," Waterfall said. "Also, in some cases it is a
question of resources. Many small- and medium-sized businesses, including
critical infrastructure companies, lack the resources of larger
organizations. And cybersecurity resources are scarce."

Wanted: Board-Level Oversight, Proactive Risk Management
It's clear that leaders must assume greater responsibility for building
cyber resilience. In the private sector, the people responsible for
business results must also be held accountable for the security risks
associated with doing business. Boards, too, must exercise effective
oversight and proactive risk management. Strategies for business
continuity, succession planning, strategic alignment, and data analytics
are key, yet the 2018 GSISS found that most corporate boards are not taking
tangible action to shape their companies' security strategies or investment
plans. Only half of respondents say their organizations conduct background
checks (pen tests, threat assessments, active security monitoring, etc.) to
uncover cyber-risks. Similarly, only 44% of GSISS respondents say their
corporate boards actively participate in their companies' overall security
strategy.

According to the GSISS, cyber threats are among the top concerns for CEOs
today. In fact, the US CEOs surveyed ranked cyber threats No. 2 among their
top worries, second only to the prospect of over-regulation. In addition,
the survey identifies the fastest-rising worries for US CEOs as
cybersecurity, the speed of technological change and the lack of trust in
business.

Organizations Must Dig Deeper to Uncover Risks
Building greater resilience against cyber threats — as a society and within
organizations — will require a concerted effort to uncover and manage new
risks inherent in emerging technologies. Organizations need to have the
right leadership and processes in place to implement the security measures
required by digital advances. Many organizations are just beginning this
critical journey.

Because it is often a result of boards' lack of involvement in security
measures, this lag should come as no surprise. Just under half of all GSISS
participants agree that risk is the only factor that matters when it comes
to security spending. Roughly one-third disagree, and the remaining
participants are on the fence. A majority of GSISS respondents (66%) say
their organizations' security spending aligns with the revenues of each
line of business, but one-third (34%) say that is not the case or they are
unsure. As the CISO function grows in importance, it will become more
common for a company's security leader to report directly to the CEO or the
board of directors than to the CIO.

But it's not just up to boards. Greater information sharing and
coordination among stakeholders is also high on the to-do list. Only 58% of
respondents say they formally collaborate with others in their industry,
including competitors, to improve security and reduce the potential for
future risks. Trusted, timely, actionable information about cyber threats
is a critical enabler for rapid-response capabilities that support
resilience.

Next Steps for Security and the C-Suite
Ultimately, C-suites must lead the charge — and boards must be engaged.
Senior leaders driving the business must take ownership of building cyber
resilience. Establishing a top-down strategy to manage cyber and privacy
risks across the enterprise is essential. Resilience must be integrated
into business operations. A company's risk management strategy should be
informed by a solid understanding among all leaders of the cyber threats
facing the organization and an awareness of which key assets require the
greatest protection. There should be a coherent framework for the
organization's appetite for risk. Leadership must drive the development of
a cyber-risk management culture at all levels of the organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171229/0826d1d2/attachment.html>