Even though CISOs opine that cybercrime and cyberterrorism will be major threats in the next three years, they, by and large, believe that senior executives don't fully understand the extent of those threats, which has proven a real obstacle to meaningful prevention.
Of the 1,006 cybersecurity CIOs, CISOs and senior IT leaders in the U.S., Europe, Middle East and North Africa who responded to the Global Megatrends in Cybersecurity 2015 survey conducted by Ponemon Institute, 78 percent said that their boards of directors hadn't received a briefing on their companies' cybersecurity strategy in the previous 12 months and 66 percent think that leadership doesn't see cybersecurity as a strategic priority. In the U.S., only 23 percent of leaders view it as such, the survey found, signaling a disconnect between CISOs and other C-level executives.
“People who are CISOs in many organizations are excellent technicians,” Larry Ponemon, chairman and founder of Ponemon Institute, told SCMagazine.com Friday. “But they don't speak the language of business.”
And, even as reports of attacks make headlines almost daily, executives struggle to view security investments as prudent. “ROI is usually devastating to security,” Ponemon said. “Security doesn't have a predictable net benefit --by the time you sign check, install solution, find out that the bad guys have come up with something else.”
As a result, a lot of security technology ends up sitting on a shelf. “It's shelfware,” said Ponemon, “tools that are very valuable for a very short period of time.”
A disinterest by boards of directors who “don't see it happening to them” also contributes to the disconnect, Dylan Owen, a lead cybersecurity engineer at Raytheon, which commissioned the study, told SCMagazine.com. “A lot of companies don't see themselves as targets for hackers,” he said, noting that those organizations might be unpleasantly surprised by what types of information hackers find valuable.
But some very high-profile attacks, some of which have cost executives their jobs but mostly have raised awareness, have started to reshape senior management perspective. And, as the study showed, respondents recognize that their organizations are facing significant threats going forward. Among the top threats, zero-day attacks and mobile malware snagged the top two slots respectively while phishing and cloud data leakage tied for third place. Zero-day threats are likely to become “one of the most prevalent cyber threats” in the next three years, 47 percent of those surveyed said, while 35 percent believed that attacks on critical infrastructure would be among the top five threats in the same time period.
Security teams within organizations will have a difficult time fending off those future threats, however, if they can't get the resources they need to do battle or build fortresses around their assets. About two-thirds of those surveyed, or 66 percent, “indicated their organizations need more knowledgeable and experienced cybersecurity practitioners,” the study said. But with a shortage of cyber pros looming, coupled with a high turnover rate, companies have trouble finding, attracting and retaining professionals with the right set of skills. Calling the CISO an “evolving” role, Ponemon said today's practitioners need to have a combination of tech skills and business savvy. “There has been a shift away from traditional IT to shadow IT,” he said, noting that a growing number of CISO hires now have MBAs.