As cybercrime evolves, security leaders are struggling to find the balance between risk and cost, minor disruption and catastrophe, and keeping pace with the demands of business, while keeping their organisations safe.
Even the best security practices have inherent risks attached to them — security leadership teams have their work cut out.
According to the research, complexity in security is entangling security professionals into a web of contradictions that impact multiple facets of security management:
• A finite budget, but a continuous and growing need for security.
• Highly interdependent, but vulnerable value chains.
• Reliance on old standby tools, such as antivirus that have limited effectiveness.
• Employees’ business expectations that can lead to risky behaviours.
These incongruities present security leadership with a mesh of continually competing interests, opportunities and tensions from across the business.
What it means to be a CISO in a changing threat and regulatory environment
In an increasingly complex regulatory and threat environment the position of the CISO has been forced to evolve. Information Age discussed this transition with Matt Palmer, who recently moved from CISO to senior director of Cyber Risk Management at Willis Towers Watson. Read here
The research found that 71% of respondents saw third-party risks from partner and supply chain interactions as high issues. And, concerns about email risks from partners top the list of potential vulnerabilities — that includes both email with attached documents and email that may include dangerous links. Gone phishing…
Security in the supply chain
Supply chains for global businesses are growing exponentially, but third party vulnerabilities are also rapidly increasing.
Glasswall insight: In this dynamic ecosystem, organisations often have to rely on the security of those that are unreliable, and while many global firms have some visibility into the defences their partners have in place, they often have limited influence on the risk decisions made by those third parties.
More than 40% of respondents recognise that employees remain susceptible to phishing attacks and engage in risky behaviours. At the same time, 40% are completely reliant on employees as their last line of defence.
According to the findings, access to unlocked devices, poor password protection and the use of personal devices are cited as the most worrisome employee behaviours.
Glasswall suggests that this illustrates a clear paradox in security teams’ quest to secure the enterprise, but it also reaffirms that employees are a critical component to the security strategy and its incumbent upon organisations to implement effective and thorough security training across their workforce.
The roles and responsibilities of the CISO at McKesson
The report found that 82% of respondents still see the network perimeter as the domain where they most need to keep investing in security. That includes the 57% who will continue to invest in perimeter defence along with post-breach detection.
Glasswall Insight: Despite the proliferation of cloud, the perimeter hasn’t disappeared; it has just expanded and remains the most vulnerable access point in need of protection. Only 9% of respondents expressed complete confidence in their antivirus solutions. And yet, despite the low confidence expressed, 96% said they continue to invest in antivirus product.
This prevalent technology is increasingly viewed as inadequate to serve its intended purpose. However, as industry has yet to introduce a broadly accepted, game-changing alternative to AV, organisations continue to invest in it and view it as a commodity, value-based checkbox product — knowing it’s under par.
“Our research validates an industry issue that has been discussed for a long time behind closed doors – those in charge of security are caught in a web of contradictions, a repetitive cycle of codependence of weakest links and strongest assets,” said Greg Sim, CEO, Glasswall Solutions.
“After hearing from top security leaders, it’s clear the security industry needs to have an honest discussion about what’s not working, and collectively reset the security standard to which all organisations must align.”
Is there too much pressure on CISOs?