Even though CISOs opine that cybercrime and cyberterrorism will be major threats in the next three years, they, by and large, believe that senior executives don't fully understand the extent of those threats, which has proven a real obstacle to meaningful prevention.
Of the 1,006 cybersecurity CIOs, CISOs and senior IT leaders in the U.S., Europe, Middle East and North Africa who responded to the Global Megatrends in Cybersecurity 2015 survey conducted by Ponemon Institute, 78 percent said that their boards of directors hadn't received a briefing on their companies' cybersecurity strategy in the previous 12 months and 66 percent think that leadership doesn't see cybersecurity as a strategic priority. In the U.S., only 23 percent of leaders view it as such, the survey found, signaling a disconnect between CISOs and other C-level executives.
“People who are CISOs in many organizations are excellent technicians,” Larry Ponemon, chairman and founder of Ponemon Institute, told SCMagazine.com Friday. “But they don't speak the language of business.”
And, even as reports of attacks make headlines almost daily, executives struggle to view security investments as prudent. “ROI is usually devastating to security,” Ponemon said. “Security doesn't have a predictable net benefit --by the time you sign check, install solution, find out that the bad guys have come up with something else.”
As a result, a lot of security technology ends up sitting on a shelf. “It's shelfware,” said Ponemon, “tools that are very valuable for a very short period of time.”
A disinterest by boards of directors who “don't see it happening to them” also contributes to the disconnect, Dylan Owen, a lead cybersecurity engineer at Raytheon, which commissioned the study, told SCMagazine.com. “A lot of companies don't see themselves as targets for hackers,” he said, noting that those organizations might be unpleasantly surprised by what types of information hackers find valuable.
But some very high-profile attacks, some of which have cost executives their jobs but mostly have raised awareness, have started to reshape senior management perspective. And, as the study showed, respondents recognize that their organizations are facing significant threats going forward. Among the top threats, zero-day attacks and mobile malware snagged the top two slots respectively while phishing and cloud data leakage tied for third place. Zero-day threats are likely to become “one of the most prevalent cyber threats” in the next three years, 47 percent of those surveyed said, while 35 percent believed that attacks on critical infrastructure would be among the top five threats in the same time period.
Security teams within organizations will have a difficult time fending off those future threats, however, if they can't get the resources they need to do battle or build fortresses around their assets. About two-thirds of those surveyed, or 66 percent, “indicated their organizations need more knowledgeable and experienced cybersecurity practitioners,” the study said. But with a shortage of cyber pros looming, coupled with a high turnover rate, companies have trouble finding, attracting and retaining professionals with the right set of skills. Calling the CISO an “evolving” role, Ponemon said today's practitioners need to have a combination of tech skills and business savvy. “There has been a shift away from traditional IT to shadow IT,” he said, noting that a growing number of CISO hires now have MBAs.
To keep talent, too, organizations need to frame security in terms of a career. “A lot of organizations don't create a career path for security,” said Ponemon, who explained that the “average CISO stays 2.1 years,” far less than the average six years logged by IT execs. As a result, CISOs find it better “to move on and get a better salary.”
Securing and retaining CISOs with the right mix of talents will become even more important as the Internet of Things (IoT) increasingly becomes a reality. The survey found that a mere one-third of respondents think their organizations are ready to "deal with the cybersecurity risks associated with the Internet of things (IoT) and the proliferation of IoT devices.”
Ponemon called IoT “a huge, monstrous risk.” And Raytheon's Owen noted that the security equation was “going to get more complicated” as more devices come online. “If you have 20 devices, you only need one to be week to cause them all to fail,” said Ponemon.
Both see a glimmer of hope twinkling across the security landscape, with Owen pointing to a growing awareness among executives that they need to get their security ducks in a row. “Awareness leads to good things,” he said, chief among them, “less negligence from a cybersecurity prospective.”
He urged organizations to train employees from top to bottom. “If you do training in the right way and a continuous manner, you can get tangible results,” he said.
And cybersecurity has recently gotten a boost from the White House. The survey comes on the heels of the Obama administration's push for a strengthening of the nation's cybersecurity posture through government policy and legislation. While Ponemon applauded the White House's efforts, saying that “it's very good for a president to say this is a priority and we have to deal with it,” he noted that because cyber attacks “don't respect borders,” one country can't solve the cybersecurity conundrum alone.
“We can't necessarily get to those people [cybercriminals in other countries] legally,” he said, suggesting that in addition to domestic cyber legislation, a multinational force should be formed that works together to curb cybercrime.