CISOs are getting more clout than ever but it’s not translating into cross-business partnerships or far-reaching security strategies, according to a new survey of the CISO’s role that found just 51 percent of companies have an organisation-wide information security strategy.
Fully 58 percent of CISOs, surveyed in the Ponemon Institute-F5 Networks Evolving Role of CISOs report, said security was still a standalone function within their organisations.
CISOs were largely being left to their own devices to design and execute IT-security strategies, with 68 percent of respondents saying that the CISO has the final say in all IT-security spending, 67 percent responsible for setting their organisation’s security strategy, and 64 percent saying they have direct influence and authority over all security expenditures.
While two-thirds of CISOs were controlling security spend and strategy, just 22 percent reporting that security was integrated with other business teams. This lack of a cross-jurisdictional security strategy was having a significant (36 percent) or some (39 percent) influence on the organisation’s overall IT security tactics, respondents reported.
This approach had seen the perpetuation of largely reactive security practices, with just 43 percent saying that their IT security strategy was reviewed, approved and supported by other C-level executives.
Business executives were more likely to get interested in IT security in the wake of a material data breach (cited by 45 percent of respondents) or cybersecurity exploit (43 percent) – which, 46 percent of CISOs reported, was the only time they communicate with the CEO and board of directors.
“It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies,” said Mike Convertino, Chief Information Security Officer at F5 in a statement. “Yet in many organisations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”
The lingering disconnect between CISOs and the business was particularly concerning given that only 19 percent of respondents said they report all data breaches to the CEO and board of directors. Given that Australia’s looming Notifiable Data Breaches (NDB) scheme will require what the Office of the Information commissioner has called “quick assessments of suspected data breaches to determine if they are likely to result in serious harm” to the individuals they affect, this lack of communication between CISOs and company executives could leave those executives scrambling to get up to speed once a breach hits.
The recent massive theft of data on 143m Americans and 44m Britons from financial-services provider Equifax’s systems has become a case study in poor handling of a breach, with experts warning of potential account takeover and Equifax waiting two months to make the breach known even as executives allegedly sold their shares in a move that has attracted the attention of the US Justice Department.
Amidst all the consternation, Equifax’s CIO and CSO retired shortly after the hack was revealed. CSO Susan Maudlin, who was revealed to have had no cybersecurity degree and majored in music composition at university, has scaled back her online presence and Equifax executives were already promoting new blood as they worked to contain the backlash over the massive compromise.
Yet because it relied on a vulnerability in the widely-used Apache Struts framework that had been known – and fixable – since March, the Equifax breach was probably just the first in what could be a long line of similar breaches, vice president of product management at Flexera Software Jeff Luszcz warned.
“Equifax is probably just the first known victim,” Luszcz said in a statement. “Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months – and potentially years – to come. We still see attacks targeting Heartbleed, a vulnerability more than three years old.”
Despite the ever-present risk of compromise through such vulnerabilities, fully 40 percent of those surveyed in the Ponemon-F5 report said their organisations don’t consider IT security to be a business priority.
Attitudes towards IT security varied widely from business unit to business unit: asked which business executives were supportive of the IT security function, CISOs found the least support from brand management (4 percent), marketing (8 percent), and communications (8 percent) while legal (48 percent), HR (45 percent), and line of business (43 percent) managers were the most supportive.
Stunningly, just 43 percent of CISOs felt that internal auditors were supportive of IT-security objectives, while just 37 percent said compliance executives showed that same level of support.
Even new laws aren’t spurring companies into action: only 23 percent said new compliance requirements were driving a marked change in the organisation’s attitude about information security. And just 16 percent said IT-security initiatives were started at the top of the organisation and cascaded downward.