Guest post by Mark Lobel
According to our new Global State of Information Security Survey 2013, data breaches are driving customers away from businesses around the world.
In conjunction with CIO Magazine and CSO Magazine, we recently surveyed 9,300 c-Suite executives, vice presidents and directors of IT & information security from 128 countries. 52% of executives confessed they have lost customers as a result of inadequate information security. I can’t think of a more compelling case for companies to get their houses in order.
Why are the bad guys succeeding at severing relationships between businesses and customers? 68% of companies express confidence that they have woven security into the fabric of their organizations, which is crucial to creating and executing an effective security strategy. However, both their actions as well as their interactions with third parties tell a different story.
Data Security as an Afterthought
We found that only 25% of companies consider security concerns at the inception of an IT project. Even worse, 18% of respondents said they don’t know at what point security is factored into the equation of IT projects. The reality of the situation is that IT security is sometimes an afterthought, if it’s a consideration at all. In addition, many organizations lack an incident-response process to report and respond to breaches at third parties that handle data. Moreover, less than one-third require vendors to comply with their privacy policies.
Who’s to Blame? The CEO or CIO or Both?
Senior leadership is responsible for laying down a security mandate and embedding it into the bones of the organization. The survey respondents recognize this fact. They blame the top both directly and indirectly for lax security. 21% point the finger at the president, Board and CEO. 15% of executives we asked hold the CIO accountable. 22% say a “lack of an actionable vision or understanding of how future business needs impact information security” is the culprit. Scant capital, operating and technical resources are sources of frustration as well.
I’ve found that there are typically two types of CEOs: those who get the importance of information security and those who don’t and the same holds true for CIOs. Sometimes the CIO is adamant about incorporating security concerns at the project planning stage, but the CEO tells her there isn’t enough time and money and to focus her efforts elsewhere. On the flipside, I have been thoroughly impressed with the CEOs who do understand the importance of aligning business and security strategies. Those CEOs not only have a command of the business issues, but they wow me with their level of technical acumen. These are the CEOs who empower the CIO with the permission and resources to adequately address security.
I’m not saying that security needs to be on the top of the priority list of CEOs and CIOs, but it undoubtedly needs to be on the list. CEOs and CIOs share responsibility for aligning business strategy with security concerns. CIOs also need to lock arms with CISOs.
90% of companies that we consider security leaders have a CISO in place. 42% of low security performers have a CISO. Having a CISO makes a dramatic difference. In addition to having a CISO, top security performers have an overall security strategy in place, have reviewed and measured the effectiveness of their security measures within the last year and understand exactly what type of security events have occurred in the past year. Only 8% of respondents met all four tests.
We know that the respondents to this survey take information security seriously. The problem is that they don’t realize that the security game has changed. The bad guys are malicious and masterminding new and improved ways of circumventing security systems every day. For example, “sophisticated, easy to acquire ‘point-n-click’ toolkits have made it possible for nearly anyone to get into the game, and that has turned digital theft into the new cash cow for some very old-fashioned organized crime syndicates,” as my colleagues and previous guest bloggers of the CIO Dashboard explain here. Organizations need to fortify their defenses from the top down and bottom up simultaneously to prevent disaster or pay the price.
Following are some specific steps that businesses need to take strengthen IT security.
- Implement a comprehensive risk-assessment strategy and align security investments with identified risks
- Understand the organization’s information, who wants it and what tactics adversaries might use to get it
- Recognize that information security requirements and related strategies have reached a turning point
- Embrace information security as a means to protect data and create business value
What would you add to the list?
Image shared by DanDeChiaro