Balancing resources as security challenges rise is a major strategic problem for today’s business leaders. The list of brands whose credibility and finances have been damaged by cyber-attacks is unprecedented, and alarm bells are understandably going off across the board.
Martin Walshaw, SE team lead: sub-Saharan Africa at F5
Despite more chief information security officers (CISOs) on the scene, there is widespread concern that information security continues to lack substantive strategic focus.
Recent F5 commissioned research by the Ponemon Institute found that 60% of CISOs believe cyber-security is now a business priority. Yet, while awareness levels are clearly growing, the report’s resounding message is that there is plenty of room for improvement. Indeed, a notable proportion of companies are not even hiring or engaging IoT security experts (41%) or purchasing and deploying new security technologies to deal with potential new risks (32%).
Finding the right talent is also a significant hurdle, with 56% struggling to identify and recruit qualified candidates. Almost half of surveyed CISOs branded their staffing as inadequate (42%).
Clearly, overall readiness levels to combat cybercrime continue to fall short. The CISO may be gaining a voice, but it needs to be heard much louder.
New frontiers for hackers
One of the key concerns highlighted by the Ponemon Institute was a lack of action and initiative at the top. 80% of surveyed CISOs believe that the Internet of Things (IoT) will cause ‘significant’ or ‘some change’ to security practices. Despite this, as many as 41% claimed their business is not hiring requisite IoT security experts.
A hacker’s arsenal is constantly evolving, becoming more targeted, automated and sophisticated. From DDoS, data exfiltration and credential takeovers to social engineering and beyond, defences must be moulded accordingly. Keeping up with the shifting threat landscape must be a top priority or businesses will soon find themselves losing ground.
Attacking the skills gap
The skills gap is another ticking time bomb. It simply cannot be ignored for much longer. Across industries, there is huge scope to be more proactive and promote careers in cybersecurity. For example, encouraging women to take a greater interest in the industry is a huge opportunity for companies to nurture skills.
Schools have a big responsibility too. Much has been said about the promotion of STEM (science, technology, engineering and math) subjects in schools, but I’d argue it is still one letter shy. Add another ‘s’ for ‘security’ into the mix and we’ll be better prepared to bridge the skills gap of the future. CISOs need to be vocal advocates and cheerleaders in both industry and academia. We can’t afford to remain quiet on the side lines anymore.
CISOs, though growing in prominence, should communicate better. They need to ensure influence at board-level and not be reduced to a passive resource. They would be more effective shaping the culture of a company.
One of the Ponemon Institute’s most worrying findings was that only 19% of CISOs reported all data breaches to the board of directors. Furthermore, 46% admitted CEO and board of director-level communication only happen in the event of material data breaches and material cyber-attacks. This is a serious disconnect and one that needs addressing immediately – ideally prioritising crucial areas like application security and data management.
Unfortunately, the disconnect is also symptomatic of the relationship between security and other departments. 58 % of CISOs’ companies had information security as a standalone function, meaning most lack an information security strategy spanning the entire enterprise. Only 22% said security is integrated with other business teams and 45% had security functions without clearly defined lines of responsibility.
Without an information security strategy that spans the whole enterprise, organisations may find themselves unprepared and exposed to cyber-attacks and inefficiencies will creep across the organisation due to bad practice. Something must give way.
The balance of power
CISOs now need to step up and become more influential at the highest level with executive management and Board backing. The balance of power is shifting, and, like a seesaw, it pivots on the weight of expectation of the executive team and Board and on the business priorities. If the balance is tipped in the wrong direction then resources could be wasted, and I can only foresee more disruption and cybercrime woe. The measure of any organisation is how it pre-empts and responds to risk and, more than ever before, CISOs must lead the charge in this respect.