Why walls don’t work – the CISO revolution

Equifax, FedEx, Deloitte, WPP – all high-profile companies that have been victimised by security breaches made public in the past six months. Following numerous news reports, there is undoubtedly an increased awareness of the threat from cyber security issues – from an industry standpoint as well as among consumers. And this is not just a risk for the big corporations – in a recent survey we conducted with Aberdeen, more than three quarters (78 per cent) of large organisations experienced at least one security-related incident over the past year. No business is safe, and unless CISOs take action, swiftly, it is set to reach epidemic proportions.

How great is the risk?

No one can doubt the seriousness of the risk here. While the reputation of the targeted organisations is understandably compromised, if we look beyond the headlines, we see the fiscal impact unfold – FedEx Europe’s share rating was downgraded by UBS and WPP estimates the financial cost of its security breach to be £15 million.

Cyber crime was traditionally focused on financial institutions – as this was quite literally where the money was. As such, other organisations left themselves unguarded thinking they were safe from these types of attacks. But data represents possibly the greatest asset that can be extracted from any company, regardless of industry – even being described as “the new oil” because of its ability to generate wealth. And with a growing importance placed on user privacy and the protection of such data in advance of next year’s GDPR (General Data Protection Regulation), no company can afford to ignore the growing risks of a security breach.

So with valuable assets to protect, why are so many businesses still turning a blind eye?

Scale of the task ahead

The scale of the risk is vast and anticipated to grow, with no known boundaries. Of the large organisations surveyed, three-fifths anticipate a rise in the total number of native-mobile apps in use (61 per cent), while over half expect the total number of connected devices with access to enterprise resources to rise (52 per cent), over the next 12-24 months. Nearly half estimate an increase in the number of users accessing cloud-based apps (41 per cent), and project growth in the frequency at which sensitive data is accessed from outside the traditional network perimeter (44 per cent). These figures all represent an increased risk of cyber attacks and should not be ignored.

Certainly the complexity and scale of the digital ecosystem represents a daunting task. The sheer volume of data to analyse (37 per cent) and the complexity of the environment (41 per cent) are cited as significant inhibitors when it comes to CISOs addressing the issue. But other major issues are a lack of resource in in-house teams (33 per cent) and not enough specialised expertise (26 per cent).

Targeted defence

The important message to takeaway is that due to the complexity of the digital ecosystem, CISOs cannot protect against every risk, all the time. It would be an impossible task and the cost to an organisation would be crippling. Building walls to protect a business will not suffice – vulnerabilities must be evaluated and defences optimised to protect the core of your network, meaning real-time detection of threats is key.

When speaking with CISOs, the top four motivators we identified for increased investment in detection were cited as growth of mobile (41 per cent) and cloud service usage (41 per cent), the risk of a data breach (40 per cent), and the introduction of connected devices and IoT (37 per cent). As a result, nearly a quarter (23 per cent) of large organisations plan to implement detection technology in the near future.

Large organisations also predict an increase in full-time security staff and managed security services over the next 12-24 months. For both large and small businesses – where this dedicated resource can be hard to find – prioritisation of threats is key.

Focusing available resources intelligently is important, no matter the size of organisation. Everyone in the workforce should have at least a basic knowledge of how they can contribute to a company’s privacy procedures, as well as the individual responsibility they hold. From understanding the importance of passwords to recognising malicious emails, instilling these important cyber security lessons represents a significant leap for the safety of the entire digital landscape.

The ‘big fish’

It’s safe to assume that large organisations (>$1bn in annual revenue) carry a higher risk of attracting the attention of cyber criminals, simply down to company footprint – as such, it is key for these companies to ensure a thorough security policy is in place. Looking ahead, over the next two years, survey respondents from these organisations predict an increase in cyber security budgets across the board, with detection receiving the greatest investment (68 per cent). Recognising threats is the essential point of difference to prevent attacks, and organisations are acknowledging this fact.

For CISOs – a call to action

For CISOs wanting to efficiently protect their organisations, it is paramount that an acceptable risk threshold be put into play. Rather than trying to encase the organisation in concrete, a prioritised system must be implemented for potential security alerts. In a digital landscape without limits, blanket defences will not cut it.

CISOs must be motivated to understand the security risks their network faces and appreciate the potential business impact if left unsecured. Ultimately, it is a CISOs responsibility to audit the network and decide on the level of risk they are willing to accept. Instead of undertaking the near-impossible task of mapping and protecting every vulnerability, they should prioritise threats and focus on recognising suspicious network behaviours to develop an effective cyber security policy. While there are clear barriers to increasing budgets, CISOs need to be motivated to improve capabilities to safeguard the organisation – a critical element to the future of any business.

In the bigger picture of today’s ecosystem, the potential impact of a cyber security breach cannot be ignored. Every organisation needs to address its vulnerabilities, for the good of all, and it is clear that the business impact of cyber security breaches is great; from tarnished reputations, to damaged trust, and the resulting financial impact.

For CISOs, this is a call to sit up and take action; detection and targeted prioritisation of risk are the real opportunities to make or break the security of an organisation.

Scott Millis, CTO, Cyber adAPT
Image Credit: BeeBright / Shutterstock