Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

CISOs Must Step Beyond Their Comfort Zones

A new survey published by Accenture shows that the twin security conundrums of increasing security breaches despite increased security spending, and high security confidence despite a high level of breaches, are both alive and well. These conclusions are drawn from a survey of more than 2,000 enterprise security practitioners across 15 countries in organizations with annual revenues in excess of $1 billion.

A new survey published by Accenture shows that the twin security conundrums of increasing security breaches despite increased security spending, and high security confidence despite a high level of breaches, are both alive and well. These conclusions are drawn from a survey of more than 2,000 enterprise security practitioners across 15 countries in organizations with annual revenues in excess of $1 billion.

Accenture’s report on this survey, Building Confidence: Facing the Cybersecurity Conundrum published Wednesday finds that 75% of the respondents are confident in their security strategies while a similar number describe security as ‘completely embedded’ in the corporate culture.

Despite this confidence, the same respondents faced an average of 106 targeted attacks every year, with as many as one in three being successful. This implies a disconnect between belief and reality, and a potential misunderstanding of today’s threats and possible solutions.

For example, as many as half of the respondents said that given extra budget, they would ‘double-down’ on their existing spending priorities; that is, spend more on what isn’t really working. For example, 58% of respondents would strengthen their perimeter controls despite the frequency and apparent ease with which those perimeters are breached.

Accenture believes that organizations need to pivot their actions to address the internal threat arising when the perimeter is covertly breached. More than half of the respondents said that it takes months to discover a sophisticated breach, while one-third admitted that these breaches are only discovered by external agencies, such as law enforcement or external security researchers. Accenture believes that organizations need to improve their ability to monitor and detect actions and activity inside the perimeter. 

“Cyberattacks are a constant operational reality across every industry today and our survey reveals that catching criminal behavior requires more than the best practices and perspectives of the past. There needs to be a fundamentally different approach to security protection starting with identifying and prioritizing key company assets across the entire value chain,” said Kevin Richards, managing director of Accenture Security, North America. “It is also clear that the need for organizations to take a comprehensive end-to-end approach to digital security – one that integrates cyber defense deeply into the enterprise – has never been greater.”

Accenture’s survey highlights the conundrums of spend and breach, and confidence and failure, but doesn’t explain them. SecurityWeek asked Richards for his thoughts. He suggests that one method of closing the gap on the cybercriminals would be to become as efficient at sharing threat data as the criminals have become at sharing vulnerability and exploit data. “It is beginning,” he said; but it needs to improve.

The apparent over-confidence in the effectiveness of security controls despite the continuing and increasing volume of breaches is complicated. There could be an element of what is known as the ‘optimism bias’ — the tendency to believe that bad things only happen to other people. However, Richards also believes it to be a side-effect of board-level awareness of security. Leadership awareness is good; but it means that security practitioners are increasingly asked to explain security issues to the board.

Advertisement. Scroll to continue reading.

Since it is difficult, and potentially career-threatening, to tell the CEO that despite all the money spent on security the organization remains at risk, there is a natural tendency to put a positive slant on the true situation. This is a problem that most CISOs readily accept: the difficulty in communicating genuine information to the board.

There is nothing new in Accenture’s advice on solving the conundrums. “To succeed, CISOs have to step beyond their comfort zones and materially engage with enterprise leadership,” says the survey report. “Doing so will require them to speak the language of business to make the case that the security team is a critical pillar in the battle to protect enterprise value.” But what the survey does show is that CISOs and C-Suite have not yet solved the difficulties inherent in this good advice.

Related: Attend SecurityWeek’s 2017 CISO Forum

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem