Taking ownership of cyber – it involves us all



New research by BAE Systems of 984 IT managers and 221 executives from Fortune 500 companies across the world, has found that there is still a damaging gulf in the perception of who should take charge to manage the aftermath of a cyber-attack in an organisation.

• The survey suggested that 50% of IT staff believed boardroom executives should take the lead when it comes to deciding how a company should respond and repair after it has been penetrated by hackers.
• In contrast, more than 30% of Chief Executives said that IT staff should be the ones cleaning up, fixing problems and hardening defences.

This, according to Dr Adrian Nish, head of the cyber-threat intelligence unit at BAE Systems, could lead to organisations not being prepared for oncoming attacks.

Cost of attack
There was also a mismatch when it came to the perceived cost of a breach:  technology bosses believed that, on average, a breach could cost a company about $19m (£15m).  This estimate included fines, legal fees, remediation expenses and compensation for customers.  By contrast, boardroom members put an average price tag of $11.6m (£9.2m) on breaches.

Prevention much better than cure
Ultimately, whatever the price of a cyber-attack, unless organisations have taken the necessary preventative steps, they remain highly vulnerable to not only the cost of breach, but the enormous impact of reputational damage and loss of trust.

Oliver Parry, head of corporate governance at the Institute of Directors commented:   “As with other principle risks to a business, responsibility of outlining this strategy should fall with the board.  Lasting cybersecurity only comes from embedding good practice throughout the culture of an organisation, starting from the top. No system or person alone can prevent indefinitely the threat of a cyber-attack.”

This ties in with one of the main recurring themes for Amicus ITS’ Director of Technology, Security & Governance, JP Norman, who has stated many times over recent years that good education and awareness by staff (the “squidgy bits”) around data security remains central to good defence efforts in thwarting a successful attack.  Commenting recently

“At Amicus ITS we carry out a 3 stage review on a monthly basis with data being collated via our support functions, reviewed at a formal Information Security Committee meeting and further reviewed at every Board Meeting. This enables us to ensure strategy, training and new developments flow in both directions across our company” JP NormanDirector of Technology, Security & Governance.

New US survey dispels notion that US Boards attitudes have changed around cyber security risks

In the United States, the 2015 US State of Cybercrime Survey appears to have reversed the findings of a number of previous surveys there over the last 12 months showing that despite talking the talk, many US boardrooms are in denial about the importance of engaging or engaging meaningfully in any information security decision making process.

Out of a pool of 500 US business execs, law enforcement services, and government agencies surveyed, there were three tiers of outcomes with regard to Board alignment:  “horrendous, adequate and excellent”.

Out of the bad and moderately sufficient returns:

• 28% said their security leaders make no presentations at all to the board
• 26% of Chief Information Security Officers (CISOs) or their organisation’s equivalent, said they provided an annual presentation to the Board.  Whilst
• 30% confirmed their security experts offered quarterly cyber security reports.

As one would expect, larger organisations appear take a more proactive view on countering cyber threats, but this is not uniform.  When looked at responses on size alone:

• 33% of smaller enterprises acknowledged there was no advice to the Board at all. However
• 18% (or nearly one fifth) of larger enterprise CISOs reported that they too offered no advice to the Board.

This is a gross overlook from the business community that needs redressing.  The IT security decision maker in any organisation today must be given the necessary tools, resources and external security consultancy opportunities if needed, in order to be able to best advise the Board and deploy the most appropriate up to date security measures.

There appears to be a real disconnect in the relationship between the Board and the CISO as these equally divided results show:

• 42% of respondents viewed cyber security as a corporate governance issue, but equally
• 42% did not see cyber security as a corporate governance issue.

Q.  Following on from this then, how often should a Board be updated by their IT security experts?

A.  Realistically, with today’s threats happening so much more frequently, in more sophisticated ways and more perniciously – this should be monthly at each main Board meeting.  Only then can a proper relationship be formed, trust developed and a proper digest of the state of resilience, identification of any threats in the last 30 days (+ how dealt + lessons learned), plus forecasts from gap risk analysis to identify what if any additional security measures or software are reasonably required.

CISO and Senior Vice President at global investment and advisory firm Blackstone, Jay Leek, added:  “I’m telling (the Boards) that it’s not possible to stop everything and that some threats are going to get in, and why it’s so important to be able to respond effectively. It’s very important just to get boards to understand that”.  Let’s just hope for a ripple effect across the international business community.