For the most part, cybersecurity seems to continue to be reactive rather than proactive. Yes, security systems are in place to prevent potential incidents, but overall, I think too many organizations are unprepared for when that incident does happen and spend a lot of time reacting to the aftermath.
However, according to new research, organizations appear to be falling behind on their reactive approach. For The Global CISO Study: How Leading Organizations Respond to Security Threats and Keep Data Safe report, ServiceNow surveyed 300 CISOs and found that 81 percent said they believe data breaches in their company are going unaddressed. Another 78 percent said they are concerned that they don’t have the capability to even detect a data breach (if that’s true, then no wonder the breaches aren’t being addressed). And when they are able to identify potential cybersecurity events, 70 percent admit they struggle to prioritize the security events. And as the report stated:
This failure to prioritize can paralyze organizations that try to address all threats equally, given that they can be hit by thousands of cyberattacks daily.
There is a cause and effect with these CISO numbers. Slightly more than one in 10 CISOs reported that their organization experienced a significant breach within the past three years that resulted in financial and/or reputational loss.
In response to the results, Sean Convery, general manager, Security Business Unit, ServiceNow, had this to say in a formal statement:
CISOs are spending an increasing amount on preventing and detecting data breaches, but our research underscores that response is where they should focus. Automating and orchestrating security response is the missing link for CISOs to radically increase the effectiveness of their security programs.
That’s just part of the answer, I think. A lack of security professionals may have some role in this inability to properly respond to cybersecurity incidents. The survey said that more than 90 percent of CISOs said it is critical to bring skilled security professionals on board and only 55 percent said their current team has the necessary skills for security management.
Various studies revealed that some basic tools and policies are lacking, too. For example, Thales' 2017 Global Encryption Trends Study found that only 41 percent of companies have a consistent encryption strategy across the enterprise, and a Dtex Systems study discovered that the vast majority of employees are doing whatever they can to come up with ways to bypass security protocols. Dtex Systems CEO Christy Wyatt was quoted by eSecurity Planet:
Some of the year's largest reported breaches are a direct result of malicious insiders or insider negligence. With limited visibility into user risk, companies face unlimited exposure which can have heavy legal and/or financial implications.
And that brings us full circle back to the CISOs study. If security direction is lacking at the top, it will trickle down through the company and the results could be devastating to the organization.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba