ISACA EuroCACS 2013: Boardrooms not investing enough in cyber-security

Speaking at ISACA's EuroCACS conference in London this week, IT security insiders claimed enterprise executives are still failing to invest sufficient funds into bolstering cyber-security.

The information security world has long-bemoaned the gap that exists between the average CISO and his boardroom seniors, and addressing a packed hall at the Hilton London Metropole Hotel, leading lights in the sector claimed company execs were not backing their IT staff when it came to enforcing comprehensive security strategies.

David Lacey, Consultant and Strategic Adviser at IOActive, said too many senior employees were only concerned with meeting regulatory requirements with their security policy, and were leaving gaping holes in their infrastructure by merely seeking to cover the minimum.

“I think basically 99 per cent of security in the enterprise is compliance driven,” Lacey (far right of image) said. “It all becomes a tick-box, do the cheapest thing you can to get through.”

To change the status quo, Lacey argued that CISOs themselves need to appreciate the boardroom mentality and present an all-round business case for addressing their security concerns.

“When we go to the board, what I tend to do is say, ‘You do realise that security can enhance your business; it can transform it, it can delight your customers, save you lots of money. It’s a smart thing to do.’ And they say, ‘Fantastic you’re finally speaking our language.’”

In an era of austerity and reluctant expenditure at boardroom level, getting senior executives to recognise the wider gains of effective cyber-security is imperative, Lacey emphasised.

Once the CISO and his execs are reading from the same page, the investment needs to be divided into separate security entities, said ISACA member Rolf Von Roessing (second from right), Chairman of security group, FORFA AG.

“I would say we all need the realisation that there are two sides to investment. There is the corporate and organisational side of things, and there’s the bad guys side,” Von Roessing explained, adding that the latter is frequently given insufficient attention.

“We have solid data on how much the bad guys are investing in cyber-security in terms of breaching defences, and it’s a lot more than what corporations do... If you know about how much your opponents are investing, why are you investing such a lot less and thinking you might get away with it?”

Cyber-security permeated much of the discussion at EuroCACS 2013 this week, as CISOs and business execs around the world descended on west London for the two day conference. Ahead of his opening keynote at the event, ITProPortal saw News International’s Amar Singh discuss the “perfect storm” of security threats brought by explosions in cloud computing, mobile, and social media.

Meanwhile, ISACA member Mike Small detailed the top 10 things organisations need to consider when negotiating their cloud services, before his own appearance at EuroCACS.