Businesses face a litany of existential threats: hostile takeovers, talent departures, unpredictable customer behavior and market fluctuations – all deeply familiar risks that leaders have carefully planned for and assessed over decades. Yet these same leaders are often alarmingly unprepared for the most potentially damaging threat: a massive data breach that could mean the loss of everything … all in a matter of seconds.
The problems begin not with the “techies” in a company, but rather at the very top with the board of directors, as we learned when Nasdaq and Tanium teamed up to investigate how business leaders assess their own cybersecurity vulnerability. In the new study, “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility”, researchers at Goldsmiths, University of London, found a worrying gap between presumed and actual corporate readiness for data security incidents and a widespread lack of accountability at the top levels of organizations. That means that some of the world’s largest networks, holding some of our most precious data, are more vulnerable than their leaders believe.
The study surveyed 1,530 non-executive directors (NEDs), C-level executives, Chief Information Officers (CIO) and Chief Information Security Officers (CISO) across the United States, United Kingdom, Germany, Japan, Denmark, Norway, Sweden and Finland. They discovered that, among the most vulnerable companies, 98% of those business leaders are not confident their organization can monitor all devices and users at all times, which means information is traveling through unknown places.
Additionally, 90% of respondents could be categorized as medium-to-high risk for a cybersecurity incident, and 40% of respondents admitted that they didn’t feel responsible for the repercussions of a cyberattack. Until cybersecurity awareness and readiness are understood and openly communicated by both board members and senior executives alike – and all employees are educated on their personal accountability – closing the gap between how vulnerable you are vs. how vulnerable you think you are is a bridge too far.
Information security is fast becoming the number one area of IT spend for Global 2000 companies. Information security saw a 24% average increase in spending from 2014 to 2015, according to PwC. Unfortunately, the security industry has failed to evolve at the pace of cyberhackers and most companies use technology that has not been updated in decades to protect their most sensitive data.
The same study found data breach incidents outpaced the spending, increasing by 38% worldwide last year. Why? Because we have seen that cybersecurity is not simply a technology problem. Though having the right tools and cyber-hygiene practices is of paramount importance to ensuring the right security posture, it’s only part of the equation. If the people who are responsible for safeguarding an organization’s data don’t feel responsible – or simply don’t know how to be – a company remains at great risk.
But there is cause for optimism. Not only do new technologies address the latency and scale issues of legacy security tools, this report identifies several actions all organizations can consider to open meaningful dialogue – from board to C-Suite to staff – to reduce vulnerability and ultimately close the accountability gap. Here are two to consider:
Create a culture of openness: educate and empower the board
Most board members are not technologists, and even fewer have a cyber background. 91% of board members at the most vulnerable respondent companies are unable to interpret a cybersecurity report. But board members need to know what questions to ask in order to assess a company’s vulnerability – in the same way they ask questions regarding financial concerns. In many cases, certain board members responsible for cybersecurity should be given extended training so they can be comfortable with the language and impact of the data they are presented. Nasdaq’s board has several board members with a deep knowledge of what security means in the context of running a technology organization and how security incidents could impact the financial markets_._
It is important to foster an environment of transparent communication in which cybersecurity can be talked about openly. Work collaboratively with governments, non-government organizations and peers to understand the latest security threats and ways to work together to put out fires. The research shows that we need to move to a culture of openness: one that strives for transparency and maximum visibility. Admit that hacking is inevitable, but breaches are not. Strong response plans, employee training targeted to each level in the company, cultivating knowledge and information- sharing are crucial elements for strengthening cybersecurity. Specifically, companies should be focused on improving information flows across the organization (including the board) and sharing information externally, too. This means being active with many industry consortiums, as they are all fighting the same fight.
Create a culture of vigilance: acknowledge that cybersecurity is a fundamental threat to the business
If widespread education about the detrimental impact of cybersecurity is step one, then an honest look at the technology you use to keep safe and run the business is step two. Prevention-based security strategies have failed on a very public level. People, processes and technology are the cornerstones of a culture of vigilance and when holistically approached, the keys to staying one step ahead of the attackers. The reality is that most modern security tools are just abstracted versions of themselves from the past two to three decades. They lack the ability to answer basic questions like, “How many devices are in my network?” or “which applications are causing the most vulnerabilities?” It may sound simplistic at its core, but an organization cannot protect what it cannot see.
Kris McConkey, PwC’s lead for cyber and insider threat intelligence, detection and incident response commented to us, “One of the failings of the security industry or rather the industry as a whole, is that we’re effectively taking all the same business processes that we’ve been using for the last 20-30 years, and trying to add more and more layers of technology on top to patch all the holes.”
We live in an exciting time, one where we use Internet-powered devices to connect directly with businesses, governments, each other and the world around us. As a result, we are able to solve problems quicker and live longer, happier lives. Cyberattacks represent an existential threat to this way of life and we need to make sure the right people, processes and the technology are in place to protect our most sensitive data. Now is the time that leaders across organizations take personal responsibility and play a more active role.
Orion Hindawi, Co-founder & CEO, Tanium
Lou Modano, Senior Vice President, CISO and Global Head of Infrastructure Services, Nasdaq