Raytheon/Websense survey shows less than one-third of security execs believe they have robust programs
Corporations are spending billions of dollars a year on security and are still losing the cyber war. Just as bad, many have their boxing gloves on backwards and aren’t even waging a real fight.
A new survey of security executives at large US companies by Raytheon/Websense finds that only 31 percent of respondents are confident in their security programs, and just 28 percent feel their communication on security metrics and postures to senior management is effective.
Companies feel vulnerable because they are aren't able to outwit cyber criminals and prevent attacks. In the last year, nearly nine in 10 companies surveyed had at least one breach, and 20 percent had three to five breaches that resulted in a loss or compromise of data.
It’s not like companies aren’t spending to protect themselves. Last year, $71 billion was spent globally on security, an increase of nearly 8 percent over 2013, Anne Bonaparte, president and CEO of BrightPoint Security said in an email message. ‘Yet incidents over that same period surged 48 percent.’
What’s wrong with this picture? ‘It’s incredibly striking how much money organizations are spending without being able to receive a return on their investment in the form of breach prevention or even reasonable confidence in their security programs,’ Jared Hamilton, senior manager at accounting, consulting and technology firm Crowe Horwath, said in an email message. ‘Management sometimes believes dollars spent on new technology will solve their problems and provide the lock for their data security, but the reality is it’s the people and process components where resources are needed the most to move the needle of progress.’
You need proper ammunition to fight a good fight. Trouble is that most of the security tools used are geared towards providing content to identify malware, drowning analysts in a sea of information, Ashok Sankar, vice president and senior director of cyber strategy at Raytheon/Websense, said via email. ‘Today’s threat landscape requires a new approach,’ he says.
In speaking with Corporate Secretary, cyber-security specialists shared recommendations for how to improve a company’s defenses against attacks.
Focus on what matters most. ‘The biggest problem is that companies are too focused on endpoint security protection technology and believing that there is a single product or tool that will provide complete security and protection,’ Darren Guccione, CEO and co-founder of Keeper Security, said in an email. ‘As the report highlights, security should not solely be measured based on quantitative reactive incidents, such as breaches. Companies should also consider what proactive investments they are making in security infrastructure, such as compliance and identity management.’
All metrics are not created equal. Metrics like the number of breaches are less useful than the dollar amount of financial damage caused by those breaches, Raj Goel, author of the book ‘The most important secrets to getting great results from IT’, said via email. ‘I have yet to see a study of organizations that actually focuses on lessons learned or what can we do better next time.’
Organizations should take a holistic approach to identify their most critical data, understand how that critical data flows and then build short and long-term remediation plans based on areas which carry the highest level of risk. Continually assessing and working toward the goals in the plans is a more effective way to monitor and track progress of cybersecurity risks at an enterprise level, said Hamilton.
Remember your first line of defense – your people. Overdependence on technology has consequences. ‘We lose the value of the human firewall, the culture and values that could make people our most potent infrastructure for defense,’ Lance Hayden, managing director of the Berkeley Research Group, said in an email.
Improve communication. ‘Communicate, communicate, communicate,’ Lizanne Thomas, who heads Jones Day’s corporate governance practice, advised via email. Information must be shared among leadership groups so everyone is on the same page. Boards need to throw out the notion that cybersecurity is solely an IT/CIO issue. Thomas says boards must step up. ‘Board members don’t need to be cyber experts, but they do need some fundamental understanding of the risk.’
Ultimately, the onus is on companies to verify that they have adequate physical, procedural and technical controls in place to detect, analyze, report and recover from intrusions and other incidents, Thomas added.