Senior security executives need the time and freedom to take a comprehensive view of security across the spectrum, especially from a staffing and talent development standpoint.
Without an influx of new talent and professional development of existing personnel in the security field, we may be on a hiding to nothing. The rapidly-evolving cyber security challenge alongside the continuous emergence of new technologies requires us to stay ahead of the curve. Presently, it appears we’re enveloped in compliance minutia and playing catch-up.
A new report released by (ISC)2 based on responses from more than 1,600 c-level executives globally, highlights this paradox; the senior C-suite is aware of the security threats, but because they are so busy reacting to the organisational and compliance requirements of the business, they are unable to spend the time to put adequate measures in place to effectively tackle the security issues.
Governance, risk management and compliance (GRC) policies takes up most of the time of nearly three-quarters of senior security executives; especially in banking, financial services, insurance and government. With growing government-driven regulatory activity, clearly setting standards and procedures and auditing against IT security compliance represents a major organisational pressure. Consequently though, these demands leave little time to evaluate new technology trends and threats.
It will be interesting to see what is revealed by the Bank of England’s Operation Waking Shark 2, a simulation exercise to test the UK banks' cyber readiness. This is a relevant initiative, but hopefully it will be constructively expedited and not become a typical GRC exercise. Such exercises are not new to the banking sector. During my time at RBS in 2004/05, every three months the bank ran crisis management exercises. Often production was run on the back-up system to test how the latter would cope in the event of an attack. With Operation Waking Shark 2, the scale is of significance as the initiative aims to test the collective network capacity of banks to withstand a denial of service type attack on the entire banking system, which potentially can bring down the UK economy to its knees, if successful. There may even be merit in extending this initiative to other national infrastructure industries such as utilities.
That said, it’s noteworthy that it’s not the financial impact of a security breach that drives investment in security, but the desire to curtail damage to their enterprise’s reputation for 83 per cent of the C-suite - above service downtime (74 per cent), intellectual property theft (58 per cent) and reduced shareholder value (49 per cent).
A big part of the C-suite’s security challenge is that there just aren’t enough people to get the job done. Senior executives categorically state in the research that they are short staffed with a major restraint being business conditions and a lack of budget or structure to support the people required. Finding skilled information security professionals is another problem. Yet more C-level executives plan to increase spending on technology in the next year (39 per cent) than on staffing (35 per cent).
The truth is that without the qualified personnel to deal with cyber security issues on a day-to-day basis. Without the capacity to strategically understand, plan and execute security, all these well-meaning initiatives will deliver extremely limited value. We will likely continue to see C-level focus on GRC, which is important, but does not contribute effectively to security in the way that proactive measures do.
John Colley, Managing Director, (ISC)2 EMEA