[BreachExchange] Execs don’t believe their companies learn the right lessons in cybersecurity

Destry Winant destry at riskbasedsecurity.com
Wed Jun 20 23:16:52 EDT 2018


https://www.helpnetsecurity.com/2018/06/20/learn-cybersecurity-lessons/

A majority of executives around the world feel their organizations can
do better when it comes to learning from their past cyber mistakes,
according to the results of a newly released global survey conducted
by The Economist Intelligence Unit (EIU) and Willis Towers Watson.

The EIU surveyed over 450 companies across the globe about their
strategies and the challenges they face in building cyber resilient
organizations. While most organizations regard themselves as doing a
good job on incident response, only thirteen percent said their
organizations were above average in incorporating learnings from cyber
incidents into resilience strategies.

The survey found little consensus among boards and executives on cyber
resiliency planning, including the deployment of strategies across the
organization, where to allocate funds, and what areas of the
organization are most at risk. The split in cyber preparedness was
also apparent across geographies, as North American companies contrast
strongly with their peers in Asia and, to some extent, the EU on
issues such as expectations for frequency and impact of cyber-attacks,
and confidence in their ability to recover from a breach.

Interestingly, of the four regions surveyed (North America, UK, Europe
and Asia), the UK had the highest rate of perceived cyber resiliency
at 21%.

Some other key findings of the report include:

The average corporate cyber resilience spend was about 1.7 percent of
revenue, and 96 percent of board members believe that isn’t enough
North America spent the highest on cyber-resilience as a percent of
revenue (2-3%), whereas the other regions spent between 1-2% or less
Among executives, there is little consensus on how to allocate cyber
budgets – but very close responses were given between “technology to
harden cyber-defenses” and “IT talent acquisition, skills
training/development”
3 out of the 4 regions believe that the “board as a whole” should
oversee cyber risk, while Europe disagreed saying it should be a
dedicated cyber group.

“It’s important for companies to understand that achieving cyber
resiliency is a company- wide imperative, one that shouldn’t be
sequestered to certain roles or functions,” says Anthony Dagostino,
global head of cyber risk with Willis Towers Watson. “Boards should
emphasize the need for a strategic framework, and the C-Suite should
set the tone within their organizations by empowering stakeholders,
such as IT, Risk, HR, legal and compliance to drive an integrated risk
management and resiliency strategy. While technology will remain a
crucial defense, more than half of cyber incidents are attributable to
employee behavior and talent deficits in cybersecurity roles, so
investing in other areas such as human capital solutions and cyber
insurance have to become part of regular board and C-Suite
conversations.”


More information about the BreachExchange mailing list