Data security: How a proactive C-suite can reduce cyber-risk for the enterprise

Similar documents
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

The State of Cybersecurity and Digital Trust 2016

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Security in India: Enabling a New Connected Era

DIGITAL TRUST Making digital work by making digital secure

THE POWER OF TECH-SAVVY BOARDS:

Sales Presentation Case 2018 Dell EMC

Uncovering the Risk of SAP Cyber Breaches

Security Awareness Training Courses

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY. Perspectives from U.S. and Japanese IT Professionals

Building a Threat Intelligence Program

Cybersecurity and the Board of Directors

The Third Annual Study on the Cyber Resilient Organization

Security-as-a-Service: The Future of Security Management

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

2015 VORMETRIC INSIDER THREAT REPORT

Reducing Cybersecurity Costs & Risk through Automation Technologies

The Defence Nuclear Enterprise: a landscape review

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cyber Security Strategy

State of Cloud Survey GERMANY FINDINGS

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Cybersecurity. Securely enabling transformation and change

2017 RIMS CYBER SURVEY

CYBER SECURITY FOR BUSINESS COUNTING THE COSTS, FINDING THE VALUE

Turning Risk into Advantage

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

COMPANY BROCHURE. About Us. Kinnectiv, LLC. Consulting. Security. Innovation. +1(888)

State of the Cyber Training Market January 2018

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY

Combating Cyber Risk in the Supply Chain

The Cost of Denial-of-Services Attacks

Which Side Are You On?

Sponsored by Raytheon. Don t Wait: The Evolution of Proactive Threat Hunting Executive Summary

THREAT HUNTING REPORT

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

A new approach to Cyber Security

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

How Switching to the Cloud Drives Employee and Agency Growth

Cloud Computing. January 2012 CONTENT COMMUNITY CONVERSATION CONVERSION

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Run the business. Not the risks.

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Cyber Security and Cyber Fraud

People risk. Capital risk. Technology risk

Securing Digital Transformation

THALES DATA THREAT REPORT

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

Skybox Security Vulnerability Management Survey 2012

CYBER RESILIENCE & INCIDENT RESPONSE

Hearing Voices: The Cybersecurity Pro s View of the Profession

Security in the age of digital disruption. An Australian and New Zealand perspective

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

CYBERSECURITY AND THE MIDDLE MARKET

THE LIFE AND TIMES OF CYBERSECURITY PROFESSIONALS

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

9 TH SOUTHERN INDIA INFORMATION TECHNOLOGY FAIR (SIITF) THEME : EMERGING TECHNOLOGIES TO CREATE NEWER MARKETS

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Protecting your next investment: The importance of cybersecurity due diligence

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Modern Compute Is The Foundation For Your IT Transformation

Preparing your network for the next wave of innovation

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing

ITU CBS. Digital Security Capacity Building: Role of the University GLOBAL ICT CAPACITY BUILDING SYMPOSIUM SANTO DOMINGO 2018

RSA Cybersecurity Poverty Index

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cyber Security in Timothy Brown Dell Fellow and CTO Dell Security

INTELLIGENCE DRIVEN GRC FOR SECURITY

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

THALES DATA THREAT REPORT

Cyber Risks in the Boardroom Conference

building a security culture to counter emerging cybersecurity threats

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Partner with an MSSP or Grow an In-House Security Team: What s Right For Your Business?

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Background FAST FACTS

Building a Resilient Security Posture for Effective Breach Prevention

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

Leading our discussion today

Professional Services for Cloud Management Solutions

IT Monitoring Tool Gaps are Impacting the Business A survey of IT Professionals and Executives

How To Build or Buy An Integrated Security Stack

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

State of South Carolina Interim Security Assessment

Larry Clinton President & CEO (703)

Detecting breach. There are only two types of organisations in the world... Terry Greer-King Director, Cyber security, UK & Africa May 2017

Driving Global Resilience

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

Cloud Foundry User Survey

Understanding Cybersecurity Talent Needs Findings From Surveys of Business Executives and College Presidents

Transcription:

A report from The Economist Intelligence Unit Data security: How a proactive C-suite can reduce cyber-risk for the enterprise The number one technology issue in the C-suite today is cyber-security. 1 And there s no wonder attacks are becoming more numerous and more sophisticated than ever. The cost of cyber-crime to the global economy has topped more than $5 billion 2 equivalent to 1% of global GDP. Sometimes cyber-crime can seem unstoppable while spent more than $75 billion on cyber-defences in 2015 3, cyber-crime grew by 3% that year. That s why C-suite executives everywhere are asking: What can we do to make a difference in defending against hackers, cyber-criminals and digital spies? Research conducted by The Economist Intelligence Unit (EIU), sponsored by Oracle, provides answers. The results show that a proactive security strategy backed by a fully engaged C-suite and board of directors reduced the growth of cyber-attacks and breaches by 53% over comparable. These findings were compiled from responses by 0, across multiple industries, against a range of attack modes and over a two-year period from February 201 to January 201. Sponsored by The lessons are clear. As cyber-attackers elevate their game, the response must be an enterprise solution. Only C-suites and boards of directors marshal the authority and resources to support a truly enterprise-wide approach. In sum, proactive cyber-security strategies, supported by senior management, can cut vulnerability to cyber-attack in half. 1 The Economist Intelligence Unit Limited 201

The payoff for being proactive The EIU survey respondents were all members of the C-suites or boards of directors of their respective companies. They represented medium to large businesses in over 20 verticals, with equal representation from Europe and the Middle East, the Americas and the Asia-Pacific region. (See the appendix for more demographic details.) The collective responses show the factors that differentiate enterprises with a high degree of success in cyber-security from those that continue to struggle. First, successful rely on proactive security strategies. Executives at companies with a high degree of confidence in their defences describe themselves as having a proactive data security strategy that goes beyond traditional approaches that rely primarily on reactive perimeter defences managed by IT departments. Instead, proactive strategies actively monitor external threats and mobilise the entire workforce to stave off attacks. In short, these approaches combine both the latest security technology and new business processes. How confident are you that your company has an acceptable level of data security? 22 3 1 3 Very confident Somewhat confident Not very confident Not at all confident Don t know How do you rate yourself against your peers in data security? 31 7 2 Pioneer Leader Middle of pack Follower Laggard What is the most important thing the C-suite/board can do to support data security? Supporting a proactive security strategy Building a security culture Security programme oversight Recruit security personnel Ensure financial support Balance security with productivity Collaborate with external entities Support security across silos Security crisis management 11 32 Proactive security determines the impact of a breach, what data was actually disclosed, and the cost associated with it. It s more thoughtful and less emotional than traditional approaches, says Ron Woerner, director of cybersecurity studies at Bellevue University. Second, successful security hinges on proactive C-suites and boards of directors. Why is the involvement of the C-suite and board so important? 2 The Economist Intelligence Unit Limited 201

Comparative engagement of the C-suite/board in security activities Firms with higher growth in cyber-attacks (+21.1%) Firms with lower growth in cyber-attacks (+.%) C-suite/board feels it gets sufficient information 22 Part of the answer stems from the new kinds of threats organisations are facing today. Criminals attack all parts of the enterprise and frequently include penetrations launched through third-party suppliers and customers. These broader, more complex threat parameters require action from executives with oversight into the entire enterprise. Standing board committee on data security Regular state of security reports Standing board agenda item Security factored into board strategic decisions C-suite/board has necessary expertise in data security 1 13 21 2 27 33 31 5 That demands a C-suite-level response. These leaders have the authority to mobilise all parts of the organisation, including appropriate responses from suppliers and partners. Just as importantly, senior executives provide budgetary and other resources to help ensure the success of proactive strategies. Boards become actively involved in security when they realise that security drives revenues and customer loyalty, says Jeffrey Ritter, external lecturer at the University of Oxford and author of the book Achieving Digital Trust. If partners or customers are not confident about how secure your business is, they will decide to not do business with you. For reasons like these, senior-level involvement is a clear indicator of cyber-security success, as the research data shows. The payoff isn t confined to just responding more effectively to an attack the influence of proactive C-suites also contributes to a significant reduction in the growth of cyber-attacks themselves. In an environment of rapid growth in cyber-risk, companies with proactive C-suites/boards have experienced much lower growth rates across virtually all major attack modes. Growth of attacks over past 2 years Hacking Malware 3 2 2 Theft of financial assets 23 Theft of customer data 1 1 Growth of attacks over the past 2 months average across all forms of attack 21-53% Lower growth in cyber-attacks Corporate espionage 2 Ransomware 1 Government espionage Public disclosure of sensitive documents Less successful More successful More successful: Firms with lower growth in cyber-attacks (+.%) 3 The Economist Intelligence Unit Limited 201

Overall, companies with proactive strategies and highly engaged senior executives are cutting the rate of growth of cyber-attacks in half, which significantly reduces exposure to cyber-attack risks, according to the EIU research. Six steps to a more effective cyber-security strategy The benefits of proactive, C-suite-driven security are clear, but what are the essential elements to focus on when creating a plan? The following six steps correlate with high rates of deterrence of cyber-attacks and, tellingly, all are within the responsibilities of the C-suite and board of directors. 1. Align the organisation to support security Key drivers of cyber-deterrence include reducing organisational barriers to security implementation and ensuring common standards across the enterprise. The process starts with breaking down silos. This addresses leading causes of security breakdowns, including fragmented security solutions. Silos also create gaps in coverage and force organisations to set protection at the level of the lowest participant. The next step in organisational alignment is implementing common standards across the organisation. This enables an integrated defence, makes security easier to manage and measure, and encourages organisations to adopt the highest shared standards for all departments. How successful has your firm been in ensuring support for security across silos? How successful has your firm been in extending common standards across the organisation? Less successful 3 72 Less successful 5 7 2. Ensure employee buy-in and compliance with corporate security practices Percentage of respondents who agree and strongly agree with the following statements Companies that have been more successful in deterring attacks have a stronger track record in these two important areas. We need to spend more time and money on employee security Our employees support our security programmes 55 5 73 Employee compliance is essential for cyber-security success since this group continues to be the largest single cause of breaches, according to multiple industry studies. But tough compliance mandates alone aren t enough. Organisations must understand any road blocks that are keeping employees from strictly following We have the right balance between security and productivity Our employees comply with our security policies Our employees receive sufficient security training 2 50 2 51 2 More successful: Firms with lower growth in cyber-attacks (+.%) The Economist Intelligence Unit Limited 201

policies. In particular, focus on whether employees are impatient with security procedures because they re seen as hampering productivity. Also, many organisations will benefit from additional employee training to ensure people understand the importance of security policies and have the knowledge to follow them completely. 3. Create a strong centralised management structure for security Companies that have been more successful in deterring cyber-attacks place a stronger reliance on centralised control over security programmes. Which of the following best describes your organisational approach to data security? Control within the line of business Hybrid control Centralised control 3 22 3 33 Do you use centralised policies to identify and protect sensitive information? (% respondents who answered yes) Less successful 5 75 Less successful More successful The reasons for centralised security are clear. Organisations can implement integrated systems that reduce the chance of security gaps that provide entry points for hackers. In addition, centralisation makes it easier to adopt common standards and enterprisewide detection and monitoring of intrusions. Other benefits include simplified training and policy management, as well as cost efficiencies that come with not procuring and maintaining multiple security systems.. Meet skills shortages by retraining in-house personnel Attracting and retaining skilled security talent is a challenge for any organisation. But successful are taking steps to address this long-time problem. Percentage of respondents who answered yes to the following statements We have difficulty recruiting qualified security personnel We have difficulty retaining qualified security personnel We can train and repurpose our existing personnel in security 50 5 0 7 23 5 Notably, successful are meeting the challenge of recruiting data security experts by elevating the security skills of existing employees. These staff members have strong incentives to hone their security skills. Not only will it make them more effective for their current employers, but it s a smart career move. One study found that by 201, a skills gap will leave 1.5 million cyber-security jobs unfilled 5. Over time, effective security has become less about just technology and more about integrating security into the processes of the firm, says Mr Woerner. More successful: Firms with lower growth in cyber-attacks (+.%) 5 The Economist Intelligence Unit Limited 201

5. Tap the expertise of third-party security Given the size and complexity of the cyber-security challenge, internal resources alone may not be enough to fully defend against cyber-criminals. Successful supplement their internal security resources with third-party vendors. These providers offer an independent view for monitoring the effectiveness of a client s defences. Just as importantly, because third-parties engage with a range of customers, they bring a broad perspective on trending threats, as well as the latest best practices for keeping organisations protected. How successful have you been in engaging security vendors? (% respondents who answered successful plus very successful) How important are third-party vendors in providing the following security services? (% respondents who answered important and very important) Less successful 37 71 Conducting independent security audits Conducting independent probes and tests Providing early warning/alerts 20 1 3 53 If I m an independent threat-intelligence service with 5,000 clients, I have an opportunity to see new patterns of behavior before they become widely known by others, says Mr Ritter. I know of one service that updates its black list every seconds, and to do that, they re looking at over 275,000 nodes, including 50,000 honey pots, or decoy systems, that they manage to monitor the activities of hackers.. Invest sufficient resources in particular, security funding to meet today s complex data-security requirements Despite cyber-attacks increasing by nearly 0% in 2015, budget increases remain modest. On average, enterprises are increasing spending by less than %. Projected growth of data security budget (increase over the next fiscal year) 1 1 27 Increase > 25% 15 Increase of 11-25% 51 55 Increase of 1-% Would you describe your data security budget as sufficient? (% respondents answering agree plus strongly agree) Less successful 25 7 Less successful More successful It s no wonder that IT staff at many feel outgunned and outspent by cybercriminals. The EIU study found a significant correlation between low levels of funding and a lack of success which, as shown in earlier charts, also correlates with higher growth rates of attacks. More successful: Firms with lower growth in cyber-attacks (+.%) The Economist Intelligence Unit Limited 201

A ray of hope As cyber-crime evolves, the role of the C-suite and board of directors is becoming vital for successful security efforts. Traditional static defences characterised by defending the firewall are becoming less effective as the volume and sophistication of attacks increase. The new era of cyber-crime prevention calls for a more elastic, proactive and cross-enterprise set of defences. How confident are you in your firm s ability to meet future challenges in data security? (% respondents answering confident or very confident) Less successful This in turn calls for mobilising employees, partners and external. Make no mistake the answer isn t just another IT initiative. An effective, proactive strategy must mobilise almost the entire firm. Only the C-suite/board has the authority to support this level of engagement for the long term. But as the EIU data shows, this modern approach pays off in a significant decrease in the number of cyber-attacks on the enterprise. There s one other benefit greater peace of mind. 1 7 Firms that are pursuing proactive security strategies with strong C-suite backing are more confident about the future it s a welcome contrast to the litany of discouraging news that often surrounds cyber-security. More successful: Firms with lower growth in cyber-attacks (+.%) 7 The Economist Intelligence Unit Limited 201

Appendix: summary of survey demographics In February-March 201, the EIU surveyed 0 executives identified as responsible for or are knowledgeable of cyber-security in their companies. The following is a summary of survey sample demographics. Seniority and function Company leadership, strong IT representation Geography Globally representative by region CIO CISO Chief Strategy Officer Chief Risk Officer 12 5 Americas Europe & ME Asia-Pacific RoW COO Chief Data Officer 7 5 Non-IT (33%) IT (7%) CEO 2 Size of company Medium-large business supports complex IT (% respondents, US$bn) 23 1 CFO 2 3 1 $0-500 $500-1 bn $1-3 bn $3-15 bn Industry 20 verticals, none more than % effectively represents all industries Consumer goods Entertainment Manufacturing Chemicals Financial services Healthcare Construction Automotive IT Telecommunications Transportation Logistics Agriculture Energy Education Government Aerospace 1 2 2 3 5 7 1 http://www.industryweek.com/strategic-planning-execution/-questions-leading-boardroom-agendas-201 2 http:co//www.telegraph..uk/technology/internet-security/0/cyber-crime-costs-global-economy-5-bn-annually.html 3 http://www.gartner.com/newsroom/id/3135 http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html 5 http://searchcio.techtarget.com/news/500275/obamas-1b-cybersecurity-plan-takes-aim-at-cybercrimeunderscores-skills-gap The Economist Intelligence Unit Limited 201

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback