Time For Senior Execs To Get Serious About Cybersecurity

by CXOtoday News Desk    May 05, 2014

cyber threat

The recent Heartbleed bug that has made headlines in recent days corroborates that despite the growing realization, companies continue to lack the tools and intelligence to protect critical information. One of the primary reasons why enterprises are exposed to grave security risks is that there is a strong disconnect between senior executives and security professionals as well as limited visibility into the nature of attacks, finds out a recent study conducted by Websense and the Ponemon Institute that surveyed nearly 5,000 global IT security professionals in 15 countries including India, to gain insight into why cybercriminals have a foothold in the broader enterprise. The study shows that its time for Senior executives in the company – not only IT/security professionals – to get serious about cybersecurity.

A stark disconnect

The study shows that there is a stark gap between data breach perception and reality – specifically regarding the potential revenue loss to their business. Nearly 80% of respondents say their company’s leaders do not equate losing confidential data with a potential loss of revenue.

This is in contrast to a recent Ponemon research, which indicates that data breaches have serious financial consequences for organizations. The average cost per lost or stolen record due to a data breach is $188 and the average cost of an organizational data breach is $5.4 million.

Forty-eight percent say their board-level executives have a sub-par understanding of security issues. However, we believe that cybersecurity awareness has most likely increased from that of a few years ago.

“The disconnect in perceptions means organizations may not always get the best bang for their security buck,” mentions Larry Ponemon, Founder and Chairman of the Ponemon Institute, in a statement, adding that network security is still the largest ticket item in the security arsenal and application security is relatively low, even though many practitioners view the application layer as presenting a higher risk than the network layer or other parts of the security infrastructure.”

The study also points out this disconnect often explain why security problems constantly plague applications used by companies. It is owing to poor communication and collaboration among the different roles that is involved in security and also because many organizations have ad-hoc policies and no formal application security training program to empower staff.

Limited visibility

There is a limited visibility about cybersecurity activities that is acting as a strong barrier that is exposing companies to greater risks. Only 37% of respondents could say with certainty that their organization lost sensitive or confidential information as a result of a cyber attack. Thirty-five percent of those who had lost sensitive or confidential information did not know exactly what data had been stolen.

“A majority of security professionals do not feel adequately armed to defend their organizations from threats,” says Ponemon, who believes challenge is further compounded by a perception that company leaders do not believe that data breaches will lead to loss of revenue, something that is completely untrue.

A mature approach

The study points out that the need of the hour is to have a mature security program that may result in a secure organization.  While in an earlier study, Ponemon stated the important of cybersecurity training to employees, it also noted a clear gap exists in the training program with only two out of three executives and directors (who own the budget) think they do have a mature security program.

Although nearly 70% executives and directors believe their organization’s internal training and education programs were being updated to ensure that development teams can handle the latest threats, application security policies and best practices, less than 20% technicians said the training programs were vague about the subject with many feel the trainings were clearly ineffective.

While the senior management should follow a collaborative approach within the organization to attain the best security practices, the study shows that companies who invest in people, technology and process are able to tackle the menace of cybersecurity much more effectively.