CIOs, CSOs suffering due to outdated security strategies

by CXOtoday News Desk    Sep 26, 2013


Despite having increased their spending on IT security, CIOs and CSOs are still not able to effectively defend against the ever-increasing cyber threats. Many are defending future threats with yesterday’s strategies, says a recent PwC survey on “The Global State of Information Security.” While information security programs have advanced, few organizations are prepared for tomorrow. New and continually evolving models of information security are neededto keep pace with today’s determined adversaries, suggests PwC.

“Our survey results reveal that while there have been improvements in security at companies today–which is a positive sign–many organizations are lagging their opponents, and this poses significant problems for the future,” said Mark Lobel, a PwC Advisory principal focused on cybersecurity. “It is essential that executives actively re-evaluate and update their security strategies and practices on a continual basis to keep pace with today’s threat actors.  Without an agile approach to information security, organizations will be underprepared for the evolving and increasingly sophisticated attacks that may be more complicated, complex, and damaging.”

According to the global survey of more than 9,600 executives, the number of security incidents detected in the past 12 months increased by 25 percent over last year; however, the number of respondents who do not know how many incidents occurred has doubled over the past two years.

Smart phones, tablets, the “bring your own device” (BYOD) trend, and the proliferation of cloud computing have elevated security risks, yet efforts to implement mobile security programs do not show significant gains over last year and continue to trail the increasing use of mobile devices. While 47 percent of respondents use cloud computing—and among those who do, 59 percent say security has improved—only 18 percent include provisions for cloud in their security policy. The survey found that while most respondents have implemented traditional security safeguards (such as VPNs, firewalls, encryption of desktop PCs), they are less likely to have deployed tools that monitor data and networks to provide real-time intelligence about today’s risks.

In today’s elevated threat landscape, it is critical that organizations rethink their security strategy so that it is integrated with business needs and strategies and is prioritized by top executives. Yet the survey found many respondents have not done so. Collaboration with others to improve security has become a key way to gain knowledge of dynamic threats and vulnerabilities, however only 50 percent of respondents said they collaborate.

“Integrated security should be a pivotal part of an organization’s business agenda and organizational culture – and every employee, supplier and partner should understand and agree to follow your security policy,” said David Burg, PwC’s Global and U.S. Advisory Cybersecurity Leader. “Building and sustaining a culture of security awareness will also require the full support of top executives, including the CEO and board members. It cannot happen without them.”

 Respondents say the top three obstacles to improving security are: insufficient capital funding, a lack of vision on how future business needs will impact security, and a lack of leadership from the CEO or Board.

 “You can’t fight today’s threats with yesterday’s strategies,” said Gary Loveland, a PwC Advisory principal focused on cybersecurity. “What’s needed is a new model of information security, one that is driven by knowledge of threats, assets and the motives and targets of potential adversaries.”

Insiders, particularly current or former employees, are cited as a source of security incidents by most respondents. And while many believe nation-states cause the most threats, only 4 percent of respondents cited them, whereas 32 percent pinpoint hackers (those who gain unauthorized access to a computer or network to steal information or cause harm) as a source of outsider security incidents.

Source: The Global State of Information Security Survey 2014, a worldwide survey by CIO, CSO and PwC