'Disappointing' executives ignorant of security's financial risk: researcher

Australian CSOs are more confident in their ability to stop the theft of corporate data than their overseas peers but are more likely to believe company executives have no idea about the financial impact of a data breach, new Ponemon Institute research suggests.

The firm's Exposing the Cybersecurity Cracks survey, conducted for security firm Websense, weighed security attitude amongst 4881 IT and IT-security practitioners in Australia and 14 other countries.

Results suggest that nearly 6 in 10 companies don't have adequate intelligence about security threats against their companies, but Australians were more confident than overseas peers in their ability to detect and stop attacks: only 58 per cent of Australian respondents, compared with 69 percent of those overseas, believe cybersecurity threats "sometimes fall through the cracks" of corporate security systems.

Some 55 per cent of respondents believe their organisation is not protected from advanced cyber attacks, and 57 per cent doubt they can stop the exfiltration of confidential information from the company's systems.

The later figure is somewhat below the 63 per cent figure reported globally, suggesting that Australian CIOs and CSOs are more confident than overseas counterparts in their ability to control the flow of data.

Yet new threats are continually keeping them on alert: "The landscape has changed quite dramatically in terms of how threats have changed," Websense country manager Gerry Tucker told CSO Australia.

"That has resulted in a rapidly changing requirement to adjust the security posture, and this means security professionals are having to change how they approach security – and, as a result, how they invest resources to deal with that."

Investment decisions are complicated by the fact that executives still seem to have a poor understanding of information security – with 53 per cent saying their board-level executives have a "sub-par" understanding of security issues.

More worrying still is the potential financial impact on a company should information-security protections be violated.

Some 82 per cent of Australian respondents said their corporate leaders did not equate losing confidential data with a potential loss of revenue – surprising to many given that Ponemon Institute research suggests the average cost of a data breach is $5.4 million.

That such attitudes have persisted despite years of industry attempts to educate users, leading Centre for Internet Safety security expert Alastair MacGibbon to lament the Ponemon findings.

"After this length of time, with the amount of information about the threat environment and the types of things that criminal groups will get up to, this is a depressing set of numbers," he told CSO Australia.

"You can't defend against the threat if you don't understand what the threat is – but this survey shows that a significant percent of the population don't think they actually understand the threat environment."

Such findings reinforce the need for CSOs and equivalents to work as advocates for security education within their companies, proactively educating business leaders about the very real threats today's organisations face.

"What you've got is a serious disconnect," MacGibbon continued. "The security guys know what they have to do, and very often it's getting the business to learn that equation in terms of risk and mitigation."

This shift requires a team effort and broad-brush collaboration, Tucker added, particularly given survey findings that 55 per cent of companies don't think they're protected from security threats and 57 per cent are saying they can't stop the exfiltration of data.

"One of the things they're doing well is moving from compliance to a threat-based security posture," he explained. "They're coming to look at it as more of a lifecycle, rather than discrete processes.

"They're working to combine the risk of teams within the business – who tend to be more numbers and business-focused – and having those teams working closely with the security teams. So, they are better able to put together a business case that demonstrates the risk – and what would be the consequences if something did happen."

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies