PwC’s Global State of Information Security Survey contains a number of striking points, starting with the disconnect between the board and security teams in businesses across the globe.
Security is now one of the biggest challenges that businesses face. Executives voice increasing concern around security and data privacy, yet spending in this area remains flat. According to PwC, global information security budgets decreased 4 percent from 2013 and have stalled at 4 percent or less of IT budgets for the past five years.
I wonder whether this disconnect between concern and budget is because business executives aren’t getting the advice they need to make the right calls on what and where to invest. It’s noticeable that the spending priorities of CISO referenced in the report are mainly security tools – perhaps this money could be better invested elsewhere.
So what should security teams be telling their businesses to invest in? If we look at where the security incidents are actually coming from, the report points to an increase in insider threats. Thirty-two percent of respondents say that these threats are more costly, yet many lack a programme to tackle them.
When people think of security, they think of threats such as staving off nation-state attacks. Although it’s glamourous for the CISO to be seen as a heroic cyber-defender, security is more often than not about managing user accounts and implementing access control. Lack of attention to the basics can often cause the most damage or provide the route in for an attacker.
As well as threats from employees, PwC notes that there has also been an increase in threats from within an organisation’s supply chain: incidents involving both current and former partners have increased by 2 percent. This points to another area where awareness is lacking – organisations seldom check the security of many of their suppliers. This is often due to cost, time and resource constraints but the reality is that suppliers can be an open door into their businesses.
IT security exists beyond geographic borders so solving many of the issues requires greater international collaboration. By adopting similar standards and speaking the same language, organisations will have a better understanding with each other, which should make working together and information sharing about attacks and incidents easier.
Lack of awareness
Despite knowing the source of the majority of data breaches, the majority of investment priorities lie in security tools rather than business-led processes or awareness that are crucial to staving off these risks. Only 27 percent of respondents see employee awareness programmes as a priority area of investment, an area which requires more work.
What’s more startling is that just 42 percent of respondents say their board actively participates in the overall security strategy and 36 percent say the board is involved in security policies. Only25 percent say boards are involved in review of current security and privacy threats.
This shows a discrepancy between wanting to integrate security into the business but boards not getting actively involved. There’s also the discrepancy between where boards are investing and where they should be investing.
I believe a lot of these problems come back to the perception that security professionals need to talk the ‘language’ of the board and show how security is a fundamental component of the business. They need to avoid overly technical talk, and focus on why security matters more than ever for their business’ operations and longevity. One of the things (ISC)2 has tried to address through its CISSP certification is to provide training which enables security professionals to relay information that resonates at the board level.
Ultimately, once security has bridged the disconnect in communication and understanding with the board and the business, investment can flow into the right places.
Adrian Davis, managing director ISC2