The organizations are repeatedly affected by data breaches and security incidents, yet it is interesting to note that a very low percentage of these organizations are actually taking dynamic steps to improve their overall IT security posture.
A new report based on Ponemon Institute research says that 63% of IT security chiefs do not report to the board of directors on a regular basis, and 40% do not report to the board at all. Moreover, a majority of enterprises still have a reactive, incident-driven approach to IT security that makes them vulnerable to outside hackers.
Lack of board participation
Since there is an increase in the number of data breaches and cyber attacks regularly, we believe that the C-Suite executives especially security leaders like the CSO and board members would take necessary measures to guide their company’s cyber security strategy.
But according to the Ponemon survey of 577 IT and IT security practitioners in the United States, this is not what happens. Atleast 4 in 10 IT security leaders do not report to the board at all which shows the lack of accountability. Around 14% of IT security leaders report to the board only when a security incident occurs, but then it is too late.
Even though the board of directors are kept in the loop regarding cybersecurity issues, they do nothing about it. As per the survey, 28% of IT security leaders say that the director board members or the CEO determines an acceptable level of cyber risk for the organizations. And 21% of IT security leaders says that the board requires any form of cybersecurity due diligence in the mergers & acquisitions (M&A) process. This means that the organization might be unknowingly introducing a hazardous level of cyber risk into the enterprise with every new M&A deal.
The survey results shows that C-Suite executives and board members are not accepting any form of substantial responsibility for cyber risk within the enterprise. As a result, IT security issues are essentially categorized within one or two departments, and senior executives and leaders are not aware of what is happening, or how exposed the company’s data assets and mission-critical processes might really be.
Reactive approach to cyber risk
The Ponemon survey was also conducted on how dynamic the IT security leaders were in guiding cybersecurity strategy, tactics and best practices. Here, also the result was not satisfying. The security leaders do not resort to regular monitoring and analysis, instead they adopt reactive, incident-driven approach. This implies that for most of the organizations, security becomes an issue only when something bad happens. Or else, it is business as usual.
About 69% of IT security leaders stated that their organizations had a “reactive” approach to cyber security, while 63% said that IT security leaders need better monitoring tools. It is evident that the enterprises are not only unconcerned about cyber security, but also do not have any visibility into the types of risks that they might be facing. The fact is that a lack of monitoring and analysis is connected to the overall level of risk. The less you monitor, the more potential risk you face.
Better metrics and measurement tools
Finally, the survey was done on the metrics and measurement tools used by IT security leaders to measure their overall level of risk. 24% of executives stated that they had a mature measurement and metrics program, and another 30% said that they had a partial measurement and metrics program. The remaining had a patchwork measurement and metrics program. In fact, 40% of IT security leaders do not track their IT security posture, and only 39% of those who do actually report their findings to the board of directors.
Lack of responsibility for IT security leaders
From the survey it is clear that there is a lack of both accountability and responsibility in majority of organizations. A vast majority of organizations do not measure or track their overall cyber risk profile, and only a few of those who do report it to the board of directors.
The C-Suite executives are focused on other aspects of the enterprise, and does not have the time to learn about cyber issues. As a result of which most of the organizations have a reactive IT security posture rather than proactive, thereby limiting their overall effectiveness and efficiency in responding to cyber threats.
What can an organization do to rectify these issues? The best answer is to use more tools and technologies. But organizations are already spending a lot on cyber investments. They are already equiped with a bundle of tools at work. So simply adding more technology on top of your IT security stack is not going to help.
Instead, a new corporate culture is necessary that values and respects security. And this could happen only if board members and the CEO make it a priority: The enterprise culture is always formed at the top and if every board meeting opens with a review of IT security profiles, or IT security leaders conduct weekly meetings with the CEO, or if IT security leaders had greater access to all the resources, the result would be unimaginable. This is what exactly an organization must do to keep up in a very complex, constantly changing cyber threat environment.