The year of cybercrime since our most recent US State of Cybercrime Survey has been nothing less than stunning. There were the Home Depot and JP Morgan Chase data breaches, the Sony Pictures fiasco, and most recently the devastating breach at the US Office of Personnel Management (OPM) that appears to be worse than first believed.
In the face of such a series of events, it’s no surprise that cybercrime awareness has hit an all-time high. What is surprising, however, is that after years of effort and attention to information security, most organizations’ ability to respond to cyberattacks have stalled. That fact is just one of the notable takeaways from our 2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies. The survey is cosponsored by PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service.
According to this year’s survey, the number of respondents who reported being more concerned about information security risks spiked to 76%, up from 59% in the same survey one year ago. CEOs also have taken notice, with PwC’s most recent Annual Global CEO Survey revealing that 87% of CEOs in the US fear that cyber attacks could disrupt economic growth.
A loose alignment and dangerous lack of visibility
With information security such a pressing issue, why has there been a persistent discord between business leaders and information security teams when it comes to building more attack resilient organizations? John Johnson, global security strategist at Moline, Ill.,-based heavy equipment maker John Deere, says that more boards are, in fact, increasingly recognizing gaps in their security programs and are demanding higher visibility and maturity for security within their organizations. Despite this, however, internal challenges remain. At the top of the list is executive hierarchy and reporting structure. “The problem is, as long as security reports up through the CIO, these [security] changes may not be timely and effective,” says Johnson.
“Some organizations get it and move the CISO out from under the CIO, or create a dotted line reporting structure to the CEO. Others are biding their time until they suffer a breach and then they have to truly elevate the [CISO] role,” Johnson adds.
The security-business alignment is loose everywhere, or not even in place among a sizable number of respondents. This year’s survey revealed that 26% of respondents said their CISO makes only one security presentation to their board annually, while 28% do not make any kind of cybersecurity presentation whatsoever.
That lack of unity and communication wouldn’t fly with Jay Leek, chief information security officer at New York City-based private equity and asset management firm The Blackstone Group. “I'm a believer in transparency in how we run our security programs to the extent we can be transparent. Not everything's confidential. Our five principles are protect, trusted adviser, transparent, awareness, and measure,” says Leek.
“Our job is to protect the firm but, more importantly, I'm a trusted adviser to the business leaders in this firm. That’s because they need to make informed risk-based decisions and I need to be there to help advise them to make a better decision at the time when they need to make it. We do this in a very transparent way to drive greater awareness to the firm,” he adds.
A big part of those efforts, explains Leek, is helping executives understand the differences among cyber crime, cyber espionage, the insider threat, and hacktivist type organizations so they understand the motives behind each, and why the motive is important. “The new threat that we've seen surface over the past 18 to 24 months concerns destruction, retaliation, and disruption – not stealing anything. It's important to understand this because these threats don't have to get in and get out; they just have to get in,” he says.
Kenneth Swick, independent security consultant and recent information security officer at Citigroup, says that understanding and level of education are crucial for CEOs and boards, and when poor alignment exists, effective organizational security is a nonstarter. “The desire for a secure environment must flow from the C-Suite to the rest of the organization,” says Swick.
In addition to the challenges of aligning proper information risk management with the needs of business leadership, the survey found that enterprises have stalled in their ability to see what attacks are underway within their systems, while too many organizations (25%) still don’t understand the nature of the impact to their business from these attacks. According to the study, 28% of respondents victimized by a cybercrime couldn’t determine if it was caused by internal or external attackers.
As might be expected, larger organizations, which presumably have more security resources in people and technology, detect more security breaches. The survey found that large enterprises spotted 31 times more incidents than their smaller counterparts.
How do enterprises and government agencies improve from here? Swick says it’s time, finally, for organizations to get going in earnest on the very basics. They need to classify and prioritize their most business-critical assets, and put the tools in place to detect suspicious activity. Once that is complete, move out from the most critical business assets and throughout the organization as budget and resources allow. “This is a challenging area because it will take a lot of resources and potentially re-architecting your network to really do this right. You just can’t walk into an environment and make this happen,” he says.
Data breaches and budgets rise
While the number of respondents who have detected a security incident in the past 12 months has stalled at 79%, the average number of incidents detected per firm has increased 21% over the year before. The industries that suffered the largest jump in incidents this year include retail and consumer, education, government, and information and telecommunications.
Fortunately, all of the attention now being paid toward cybersecurity incidents is pushing security budgets up. In this year’s survey, 45% of respondents reported that they have increased their budget this year over last.
Ben Rothke, senior eGRC consultant The Nettitude Group
The challenge going forward for those firms, says Ben Rothke, senior eGRC consultant The Nettitude Group, is keeping that budget once security teams get the increase they need, and then building long-term sustainable results. “Security is a journey, not a destination. If you show you can be effective and also run security like a business, you should impress management and be able to get the budget you need,” he says.
Johnson would likely agree, and also stresses that the CISO needs to be a leader who can align the technical aspects of information security with governance and business risk management metrics that executives and the board need to understand. For those who are not this mature, it’s not going to improve overnight. “You can't boil the ocean and you can't ever reach 100% security. The threats change and all you can do is try to develop an aligned plan and work on the highest priorities first. [By capturing] metrics and revisiting this plan as the business environment, regulations and threats change, you will hopefully keep your program on track and show that you are being effective,” says Johnson.