The compromising position facing UK CISOsCyber attacks have become an increasing source of anguish for UK businesses.
According to some estimates, cyber breaches cost mid-market businesses £30bn this year. Yet despite this, businesses appear to be dialing up the rhetoric and exuding an image of confidence. Our recent study into the cyber confidence of security professionals revealed that 71 percent of organisations promote their cyber defences as a selling point for the business.
Cyber security and small and medium-sized companies: how they can defend themselves in 2019 as the Cybercrime menace grows
Cybercrime continues to surge without a slowdown in sight. Cyber security and small and medium-sized companies is a big issue, but businesses can take steps to protect themselves, says Michael Fitzgibbon at Slice Insurance Technologies. Read here
This has placed CISOs in a compromising position. They are required to present a message of solidarity when, in reality, they are not confident in their ability to counter daily threats. The research showed that more than a third are only somewhat or slightly confident in the security solutions their organisation uses. Further still, only 17 percent believe their security stack is 100 percent effective. Two thirds hit by a breach in the past 12 months are unsure about their organisation’s ability to recover from another attack of a similar nature.
UK CISOs less confident that US CISOs
There are also notable differences in the confidence levels of CISOs in UK and US businesses. According to the Cyber Confidence research, where an attack had taken place, US respondents were twice as likely to believe their organisation could defend another attack (40 percent compared to 22 percent). Yet, top cyber professionals in US businesses were twice as likely to have reported more than 30 breaches in the last 12 months.
Senior professionals in the UK and US also think differently about how to mitigate the risks. UK CISOs believe that outsourcing is unlikely to provide the necessary level of security to alleviate concerns. Sixty-one percent were much more likely to deem it as having ‘about the same’ risk compared to in-house. Yet, this compares to just 44 percent of US respondents, many of whom were more comfortable in outsourcing to reduce risk.
CISOs in the firing line
Of course, when attacks hit, CISOs are quickly placed in the firing line. The breach that destabilised financial services firm Equifax provides a reminder of how exposed they can become. After the data of at least 147 million people was breached and put down to a ‘website application vulnerability’, CISO David Rimmer and his team were in the spotlight. According to the BBC, the fifty strong team were isolated from the rest of the company’s 11,000 staff. Mr Rimmer was also allegedly attacked for having a music degree, despite having over 30 years’ experience and cybersecurity not being a profession at the time.
AI and data security: a help or a hindrance?
The case was eventually settled with the US Federal Trade Commission receiving $700m (£561m) and the UK’s Information Commissioner’s Office receiving £500,000. It shines a light on the challenge facing businesses to both recruit and retain those in the most important roles. According to a report by Bitglass, 38 percent of the Fortune 500 companies don’t have a CISO in place. And of the 38 percent, 16 percent have another executive listed as responsible for their cybersecurity strategy. In addition, only 4 percent appear to see the role as valuable enough to place it on their company places.
Culpability a business issue
It is, of course, an oversimplification to believe top cyber professionals should have sole accountability for attacks. The approach of the C-Suite is as much of a determining factor of an organisation’s robustness. This is demonstrated by the fact that – aside from increasing threat vulnerabilities (49 percent) – a lack of staff training (41 percent), lack of funding (34 percent), insufficient staffing (31 percent) and a lack of board support (29 percent) all ranked as highly influential determinants of whether a business would be able to repel an attack, according to our research.
It would also appear that CISOs are simply being overwhelmed by the speed at which change is happening in the industry. Cyber monitoring, cyber resilience and cyber governance were identified as the top three areas for budget allocation.
Cyber security scores: a new standard in mitigating risk?
Developing cyber confidence
Thankfully, CISOs do report that the outlook is improving, and they are hopeful that their confidence will increase. In fact, 62 percent reported that their confidence had improved over the past year. The vast majority (76 percent) of respondents also believed that cyber security is increasing as a priority within their organisations and many are already noticing a difference.
Achieving cyber confidence will come down to improved ability to defend and respond to attacks but also the increased collaboration between security teams and the wider organisation. To avoid hitting the headlines for a breach and suffering the adverse publicity implications, CISOs must move away from being perceived as reactive, to a more proactive, strategic approach. This allows for education of teams and implementation of adequate procedures, all underpinned by cyber technologies that add value to the business and provide visibility and actionable intelligence. This will also help bridge the gap between security team and the organisation’s perception of security, putting everyone on the same page and making sure CISOs are no longer being placed in that compromising position.