State of the CSO 2015: Breaches force new security strategy

Recent high-profile data breaches have clearly spooked a lot of companies, many of which expect to face cyber threats in the coming year. And security executives are spending more time advising senior executives and other top business decision makers at their organization on security-related matters.

Those are among the findings of CSO’s annual State of the CSO report, which surveyed 366 security professionals online in August and September 2014.

About half of the survey respondents say their organizations have had to reevaluate their information security standards as a result of recent well-publicized attacks.

One company that’s made changes is Hargrove Inc., a provider of services for events such as trade shows. “The data breaches at Target and particularly Home Depot elevated the perception of risk to a company’s reputation,” says Barr Snyderwine, CIO. “Those examples provided a very high level of visibility of the damage to reputation as well as cost.”

The company was in the process of changing some data security protocols and the breaches accelerated the project, Snyderwine says. “They also elevated the need for additional security testing and scanning,” he says. “We will be adding budget to implement next year.”

Also reevaluating its information security approach is public accounting and business advisory firm Joseph Decosimo and Co.

“We are paying a little more attention to monitoring internal activity in our network,” says Brian Joyce, director of IT/security. “Previously we have been more focused on what was coming in. Now, [we’re] equally focused on what is going out as well, [and] more focused on data loss prevention and our ability to respond to control potential damage.”

[ 9 employee insiders who breached security ]

Among the organizations surveyed, cyber threats from outside the organization (including advanced persistent threats and distributed denial of service attacks) were the most commonly cited security-related challenges anticipated for the coming year. Some 37% of the organizations say they expect to face those challenges.

“As a provider of cloud services we are exposed to the threats from the Internet and defense against cyber attacks—including advanced persistent threats and distributed denial of service attacks—tops our priority list,” says Erkan Kahraman, chief trust officer at Projectplace International, a provider of Web-based collaboration offerings.

Outside threats are an issue for Hargrove as well, “due to the data we keep and the industry we are in,” Snyderwine says. “The challenge is to stay ahead of the threats. The vectors of the threats are a constant issue. The outside threats target our employees constantly so we have to train and communicate new threats.”

Also high on the list of expected challenges are balancing IT’s priorities—such as innovation and cost cutting—against the organization’s risk appetite and ability to protect critical assets or meet regulatory guidelines (cited by 32%). Next was employee awareness and cooperation (30%).

“Balancing innovation and cost cutting has been a constant challenge through the years,” Joyce says. “What is becoming more of a burden is the regulatory guidelines and compliance issues. And employee awareness is of necessity an ongoing, never static process, and remains a challenge. Employees are both our best defense and potentially porous perimeter.”

It’s interesting to note that cyber threats from inside the organization, which has often been mentioned as a major concern for companies, came in toward the bottom of the list of challenges, with only 18% of the respondents mentioning that. Also low on the list are employee retention/hiring enough skilled workers, and managing security and addressing the risks around mobile devices, with only 15% mentioning those as challenges for the coming year.

Security executives are spending more time advising senior executives and other top business decision makers at their organization on security-related matters. When asked about time spent doing this during the past three years, three quarters said it had increased, and 37% said it had risen significantly.

Looking ahead, 80% of the respondents expect the amount of time they spend advising to increase over the coming three years, and 44% expect it to increase significantly.

CSO staff

“Our senior executives were targeted by unsuccessful spear phishing attacks, which brought the attention to email security and awareness,” Kahraman says. “During the last year we’ve spent significant time in both implementing email signatures—digital certificates—and training users. I can only assume we will continue our efforts in this domain.”

While he is spending more time briefing senior executives, Snyderwine is spending even more time filtering the information to present to the executive team. “I have to summarize and present the right issues and strategy,” he says.

Slightly more than half of the executives surveyed (52%) say their organization’s overall security budget will increase over the next 12 months, compared with the past 12 months. Thirty-seven percent say the budget will remain the same and only 5% expect to see a decrease.

Companies in some industries are more likely to see increases than others. For example, in financial services, 67% of the respondents expect an increase while among government and non-profit entities only 45% anticipate higher budgets.

When formulating the security budgeting process, companies are using a variety of methods and calculations. These include total cost of ownership (42%), business value (42%) and return on investment (34%). Surprisingly, about one quarter of the organizations use no formal financial methodology for their security budgeting process.

Not quite as many organizations are looking to boost security staff headcount over the next 12 months, however. About one third (35%) say they’re expect to see headcount increase, while 56% say the workforce will remain the same and 5% are anticipating a decrease.

CSO staff

Again, the outlook varies by industry. For example, among healthcare organizations, 73% expect an increase in security staff in the coming 12 months. In the services industry, on the other hand, only 24% are expecting an increase.

For the most part, organizations are pleased with their security technology investments. Two thirds say that in general they are satisfied with the quality and relevance of products offered by security vendors, and 7% are very satisfied. A little more than half are satisfied with the security services offered, and 7% are very satisfied.

“I can say that I’m pleased with the security technology we’ve invested in; not so impressed with the professional services we purchased,” Kahraman says. “Security technology has come a long way, and today’s vulnerability scanners, Web proxies and application firewalls are all useful arsenal one can rely upon.”

The study shows the growing value of risk management. About half of the executives surveyed say their organization’s senior management placed more value on risk management over the past 12 months, while 35% said there was no change and 13% said the organization placed less value on risk management.

As for the next 12 months, 70% of executives expect senior management to place more value on risk management, with only 5% saying they will place less value.

CSO staff

Many of the organizations surveyed use a formal Enterprise Risk Management (ERM) process or methodology that incorporates multiple types of risk, not just information security and physical security risk. Some 56% say they are doing this. And the percentages are considerably higher for organizations with more than 1,000 employees (65%) and for industries such as financial services (70%) and healthcare (69%).

As for which ERM frameworks they’re deploying, a majority of organizations (62%) are using internally developed models. The formal ERM process covers a variety of disciplines, departments and groups within companies. These include information security (87%), business continuity/disaster recovery (82%), executive management (77%), financial risk/insurance (72%), physical/corporate security (67%), general counsel/legal (62%) and human resources (56%).

A variety of officers are primarily responsible for driving risk management strategies, including chief risk officers, CSOs, CFOs, COOs, CEOs and CIOs.

To keep up with the latest security-related developments, survey respondents rely on a variety of sources. These include security/technology content sites (65%), analyst firms (64%), peers outside their companies (61%), white papers (61%), executive conferences or other events (57%) and industry associations (52%).

Given the rapidly changing developments in the security landscape and the importance of strong protection against attack, security executives will no doubt continue to tap into these and other resources for guidance.