Cyber Security Awareness Gap Hurting Enterprises Around The World?



Dan Gunderman
04/23/2018

Despite the widening security surface in the enterprise, including emerging best practices and in-depth market coverage, there remains a gulf between sound/optimal security and an organization’s posture.

While many enterprises are maturing in cyber-resiliency, others still scale their model based off the status quo. That is, the significance of cyber security has likely not coursed through the C-Suite and made an impression on the executive board. For those with an “immature” security posture, cyber security is a nuisance, and oftentimes security practitioners are labeled showstoppers.

However, one need only look to media coverage of the space to find horror stories (mega-breaches such as Equifax, Uber, and malware strains like WannaCry, etc.), along with news of enhanced security. The latter could mean enterprises doing away with credential-only authentication and exploring more forms of authorization; or organizations browsing the current market for integrated solutions on threat intelligence, incident response, and more.

Nevertheless, there exists the aforementioned gap – perhaps a chasm – between mature enterprises and those that struggle with the concept of security, in its entirety. This prevailing mindset has circulated throughout APAC regions as well.

See Related: Know Your Systems: Cyber Security Tips For Board-Level Execs

According to a CNBC “Squawk Box” interview with Bryce Boland, Asia Pacific CTO at FireEye, Inc., there is in fact an “awareness gap,” with organizations remaining hesitant to embrace a fully buttoned-up cyber-posture. Granted, that requires budgetary permission and interdepartmental cooperation, but security can no longer be understated.

Boland said that most of the organizations he’s investigated in Asia are not discovering breaches until weeks, months or even years after the incident has occurred. The end result, there, means attackers have heaps of time in a closed network – free to roam, exfiltrate data, or do as they please.

“Nobody was looking for them, so there was never any disclosure or investigation,” Boland said. “Attackers got away with anything they wanted to get.”

While Boland went into detail about the resiliency issues in the Asian market, he also said there is a “reluctance” amongst senior leaders to take security seriously. The CTO said that this concept of security value has not spread to “broader markets” yet.

Nonetheless, Boland said that changes are beginning to occur in the workplace. He said breaches are beginning to be disclosed – due to privacy legislation. He added: “There’s an understanding in the media, among business leaders, that this isn’t something that’s happening; that’s it’s not an issue. But the reality is very different.”

It seems that to close this gap, it boils down to the business culture. There will likely always be organizations who fail to see the significance of the security spend – and for that, the mindset appears to be “out of sight, out of mind.” Nonetheless, while cyber-criminals continue their onslaught, it’s only a natural response to bolster the business security culture.

See Related: Five Core Concepts Of The 2018 RSA Conference

A failure to implement sound security controls could stem from a lack of necessary C-Suite discourse. One consistent and unwavering business goal should be the “culture of security,” and cultivating it in any way necessary.

For those in attendance at the 2018 RSA Conference, this issue was front and center – as vendors in the training space made their cases. Those beneath the “security awareness” training/advocacy banner are companies which aim to improve security posture – from the employee base up to the C-Suite. This could mean adherence to various regulations, or governance frameworks such as NIST, or close contact to explain the business impact of failed security.

Security advocates made their rounds at RSA, but breached organizations, or those with middling posture, should actively seek out media guidance, security training, or open a dialogue with management about the need to fortify their IT infrastructure.

Visit CSHub.com for in-depth coverage of last week's RSA Conference!