Modern field guide to security and privacy

After high-profile hacks, many companies still nonchalant about cybersecurity

Multiple surveys, including one recently released by defense contractor Raytheon found that the attention paid to large breaches at corporations such as Sony and Anthem hasn't significantly changed attitudes about information security.

|
Gus Ruelas/Reuters
The cyberattack on Anthem was among of a string of major breaches at corporations over the past year. Despite that, many boards remain nonchalant about information security risks, according to a new study from Raytheon.

Conventional wisdom suggests that the costly data breaches at Target, Home Depot, JPMorgan, and elsewhere have elevated information security concerns to the highest echelons of corporate America and are driving major improvements in security practices.

But the results of two separate surveys highlight a somewhat more nuanced reality.

The breaches and resulting losses have made security a higher priority on the corporate agenda. But a disconnect still appears to exist between the security function and senior leadership at many companies. What's more, many corporate boards seem nonchalant about the risks their organizations face from information security failures such as the ones that have hit Sony Pictures, Anthem, and others in recent months.

In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months.

In fact, just a quarter of the respondents said senior management viewed security as a strategic priority while the remaining 75 percent said they viewed it as a necessary cost.

The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy while barely 25 percent said their boards were involved in reviewing and privacy risks to the their organizations.

The results of the Raytheon survey suggest that the massive attention generated by the data breaches have not really moved the needle a whole lot on attitudes toward information security at many companies. 

But, a separate soon-to-be published survey by International Data Corporation (IDC) showed information security professionals themselves having a slightly more optimistic view of their present lot and where they were headed. A majority of the 269 security professionals polled by IDC claimed the attention paid to security within their organization has increased in recent times and has had a positive effect on their organization’s overall security posture. 

About 42 percent of the chief information security officers, or CISOs, said they reported to their company’s board of directors on a quarterly basis and more than 6 in 10 said the frequency of their interaction with board members had actually increased in recent months. 

While those findings are somewhat in contrast with the more meager results in Raytheon’s survey, the two reports are similar in other aspects. Few CISOs for instance, still directly report to the chief executive despite the heightened importance of the information security function. Only 14 percent of the respondents in the Raytheon survey and 15 percent in the IDC survey said the CISO function reported directly to the CEO. 

Another vexing factor uncovered by IDC was the fact that larger companies are much less likely to have a CISO directly reporting to the CEO than in smaller companies.

The results suggest that while organizations say they are headed in the right direction, many at the highest-levels still appear to view a data breach as something that only happens to others, says Jack Harrington, vice president of cybersecurity and special missions at Raytheon.

“The Target hack was very interesting,” Mr. Harrington says. “It raised awareness across the entire retail industry certainly,” he said. But at that time, the number of CISOs that Target had ever hired was zero, he noted. “That tells you they felt they didn’t even need that position. They just didn’t feel at risk.”

The apparent disconnect between the security organization and senior management highlighted in the survey suggests that the same attitude continues to persist at many companies, said Mr. Harrington.

IDC analyst Pete Lindstrom said much of what is reflected in the surveys lies in the interpretation. “Some of this is really framing how you want to say it,” he says. “You could look at it as a glass half-full, glass half-empty kind of thing.” 

The fact that only 15 percent of CISOs still directly report to the CEO might appear depressing to some. But another 50 percent report to an executive that is just one layer removed from the CEOs, which isn’t entirely bad, said Mr. Lindstrom. Over the next three years that number us expected to reach 75 percent.

Security organizations and security executives that claim they do not get the attention they need, should assess their approach to risk management to see why that might be the case, Lindstrom said. 

“It is the business oriented risk-reward folks who succeed,” not the paranoid ones, he said. 

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to After high-profile hacks, many companies still nonchalant about cybersecurity
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0219/After-high-profile-hacks-many-companies-still-nonchalant-about-cybersecurity
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe