For some time, security professionals have talked about the need to have their voices heard at the highest level in the organisation. Now, with so many breaches over the years – the first four months of this year alone seeing 5.64 billion records leaked - there are few executive boards, if any, that aren’t in some way concerned about cybersecurity. From highly targeted threats on Bitcoin users and Hermes ransomware on the financial services sector to the SamSam ransomware that gave healthcare security teams a headache and the FIN7 credit card number stealing attacks on hospitality, the threats are clear and present.
However, a recent study has proven that there is still more work to be done in terms of aligning security teams with their board-level executives.
Recently, AT&T Cybersecurity took the opportunity to gauge the opinions of more than 700 security professionals on this topic. While around 56 per cent of respondents were mostly or completely on the same page with board-level stakeholders, 44 per cent were either sometimes or not at all in agreement.
Furthermore, when splitting the results out by company size, a trend emerges: larger enterprises appear to have slightly better alignment with their stakeholders than small or medium businesses (SMBs). Only 18 per cent of SMBs state they were completely on the same page with their boards. By comparison, 26 per cent of large enterprises said they were completely on the same page.
On the other hand, 10 per cent of SMBs felt they were not at all in alignment with their stakeholders compared to just under 7 per cent of large enterprises.
While this outcome is not surprising due to large enterprises usually having more robust security governance in place, it does prompt the question: Can SMBs learn some lessons from their larger counterparts? In larger organisations, many issues are discussed from the perspective of business risk, which can to allow for a better understanding of issues before they can become full-blown problems. By contrast, smaller companies may have fewer stakeholders which have less time to dedicate to governance, especially when hitting sales targets is a priority.
Focus by sector
Looking at the results through the lens of industry sectors provides further insights.
Financial services, manufacturing, and the public sector, where threats are high and potentially devastating, had a typical distribution curve that matched the aggregate, indicating a higher collaboration with board level stakeholders.
Healthcare followed a similar curve, although it was more negative overall with more participants inclined to believe they only saw eye-to-eye with executives sometimes, or not at all. This could be due to industry’s large volume of information including patient records and more intrinsic difficulties within the sector when it comes to security efforts.
Hospitality was overall optimistic, having an almost even split between being completely on the same page, mostly, and sometimes. Only 8 per cent stated that they were ‘not at all’ on the same page as stakeholders. This is interesting when we consider the number of high-profile attacks targeting customer data within the hospitality sector in recent years. This could either indicate a false sense of security, or it could indicate that executive teams have taken steps to make improvements in light of these attacks.
Transport was even more positive than hospitality, with all respondents saying they were sometimes, mostly or completely on the same page when it comes to cybersecurity. Retail was the most negative of all the sectors, with 60 per cent stating they were not at all or only sometimes on the same page.
Most worrying threats
Putting the best foot forward
The threat landscape is ever-shifting. To keep on top of the latest threats requires collaboration with peer companies, robust reporting on system activities, as well as actionable threat intelligence in which the primary goal is to drive the detection of emerging (new) threats and to drive resilient threat detection. This means the ability to detect threats even as IT systems evolve (i.e. cloud migration, IoT, mobility, 5G).
In other words, situational awareness of the internal and external environment is essential, and while some larger companies may have the capability to do this in-house, most companies do not.
Also, the sector a company operates in, but more importantly the size of the company and its available resources, should be taken into account. The mid-sized enterprise in particular is being targeted more and more by attackers as it is widely considered “low-hanging fruit” for threat actors, yet there are few practical answers to their predicament. In order for companies of any size to put their best foot forward when it comes to cybersecurity and aligning business and technical requirements, organisations should consider:
Having the right people can make all the difference to a company’s security strategy. It doesn’t necessarily mean hiring an entire security department. A consultant can help to significantly reduce security risks by providing an initial cybersecurity risk assessment that gives insight into an organisation’s current security posture as well as guidance on areas that need to be prioritised and best-practice frameworks for moving forward.
IT security technologies have come a long way in the last decade. However, the problem remains that companies have traditionally bought “point solutions” to solve discreet problems. These solutions exist in silos which need to be broken down. Therefore, security professionals should be looking to simplify their security technologies into a single platform that can give them one, umbrella view and invest in technologies that offer a broader set of capabilities, especially those which have their own or can integrate with reliable sources of threat intelligence. Unified platforms also can be more affordable, not just to buy, but to maintain on an ongoing basis.
In today’s age of the cloud and service providers, in many cases it doesn’t make sense to keep everything in-house. While most organisations don’t have the resources to build/manage their own SOC – and even if they do – there is a lot to be gained from outsourcing foundational elements, such as threat detection and response, so they can internally focus on response and mitigation.
Finally, where risk can’t be mitigated or accepted, consider transferring it to an insurance provider. Not only can insurance help alleviate the financial cost of a breach, but it can demonstrate to customers, shareholders, or partners that the organisation has taken out precautionary insurance as part of a broad cyber security plan if the worst should happen. A point of caution here is to fully understand what the insurer covers and what the business is protected against, as not all cyber insurance offerings are the same.
By working with board level stakeholders to comprehend the issues around security specific to the organisation, it will become quite clear where the business needs to step up and invest time, extra resources or security controls for a more well-rounded cybersecurity programme.
Tawnya Lancaster, lead product marketing manager, AT&T Cybersecurity