Cyber Security: Who's In Charge?
It’s no mystery that the threat landscape has intensified, widened and spooked many security practitioners around the globe. Between breach anxiety amongst the C-Suite, the increasing perimeter size of large enterprises, numerous endpoints tapping into the network and a glaring disconnect between departments, cyber security is still an often-overlooked facet of the business. This, of course, should not be so.
In recent years, the threat vectors have multiplied and security practitioners have been forced to deploy various solutions to mitigate – or attempt to mitigate – the many network dangers.
As C-level management begins to grasp the widening plain – including ransomware attacks, adapting malware strains and basic phishing scams – hackers dig in deeper. Their methods are secretive, their motives not always known.
The rise of nation-state hacking and “hacktivism” is a recognizable departure from the various “disruptions” hackers may have once sought. Furthermore, blackmailing large enterprises is also on the table. Hackers, tough as they may be to catch and interrogate, may desire financial gain, or trade secrets and insider information to sell on the dark web. These motivations are all on the mind of today’s CISO.
This concern is magnified by the growing status of many large enterprises – especially those handling sensitive data, be it personally identifiable information (PII) or protected health information (PHI). As the perimeter widens, so does the attack surface. With endpoints aplenty, CISOs must be familiar with best practices across devices, with hardware and software, and as they develop a polished cyber protocol.
The larger the enterprise, the higher that risk profile becomes. But whose duty is it to shoulder the weight of the security team – both its advances and any ensuing repercussions? It is no doubt beyond the CISO – this is an issue of business culture that has progressed sluggishly at best.
With a hacker’s questionable motivations and a lot at stake internally – namely finances and reputation – there must be a meeting of the minds, of some sort, to discuss more collaboration. Much of that discussion could (and should) be budgetary, seeing as cyber security ranks as a top business concern, yet budget increases have been disproportionate at best.
According to Gemalto’s 2017 Breach Level Index report, a whopping 2 billion data records were lost or stolen via cyber-attacks in the first part of 2017. Gemalto’s Vice President and Chief Technology Officer for Data Protection, Jason Hart, also added that two-thirds of firms breached had their share price negatively impacted. Of 65 companies evaluated, breaches cost shareholders $52.4 billion.
Needless to say, there is a financial incentive to more rigid cyber practices. Over time, that has not necessarily echoed up the corporate ladder as well as it should have.
IT budgets are typically 3-7% of a company's revenue, and security budgets are typiecally 5% of IT spend, according to data from the Harvard Business Review. That equates to about 1% of yearly revenue on security that could thwart an immeasurably damaging cyber attack.
The issue remains that boardroom residents - particularly those in the finance department - continue to dismiss security concerns, or pass them off to overworked technical managers before swiftly moving on to other business-critical issues.
This is not to downplay the progress that has been made, however. In a previous interview with the Cyber Security Hub, KnowBe4’s Security Training Advocate, Erich Kron, said, “For many years, security people were looked at as people who made a bunch of noise, who were stopping progress. Now, we’ve really gotten the people’s attention. (Many are) now realizing how critical security people are.”
So, despite the wedge that’s still present between departments to some extent, cyber security is exponentially more visible than it was just years ago.
In an increasingly regulated environment, along with steep financial costs for mega-breaches, there must be more discourse across these departments – in an effort to streamline decision making and award cyber security its rightful piece of the budget.
This is not a CISO versus CFO tussle. There must still be a seismic shift toward cyber security – spurred by conversation and continual training and awareness sessions.