Security Experts:

CISOs Must Step Beyond Their Comfort Zones

A new survey published by Accenture shows that the twin security conundrums of increasing security breaches despite increased security spending, and high security confidence despite a high level of breaches, are both alive and well. These conclusions are drawn from a survey of more than 2,000 enterprise security practitioners across 15 countries in organizations with annual revenues in excess of $1 billion.

Accenture's report on this survey, Building Confidence: Facing the Cybersecurity Conundrum published Wednesday finds that 75% of the respondents are confident in their security strategies while a similar number describe security as 'completely embedded' in the corporate culture.

Despite this confidence, the same respondents faced an average of 106 targeted attacks every year, with as many as one in three being successful. This implies a disconnect between belief and reality, and a potential misunderstanding of today's threats and possible solutions.

For example, as many as half of the respondents said that given extra budget, they would 'double-down' on their existing spending priorities; that is, spend more on what isn't really working. For example, 58% of respondents would strengthen their perimeter controls despite the frequency and apparent ease with which those perimeters are breached.

Accenture believes that organizations need to pivot their actions to address the internal threat arising when the perimeter is covertly breached. More than half of the respondents said that it takes months to discover a sophisticated breach, while one-third admitted that these breaches are only discovered by external agencies, such as law enforcement or external security researchers. Accenture believes that organizations need to improve their ability to monitor and detect actions and activity inside the perimeter. 

"Cyberattacks are a constant operational reality across every industry today and our survey reveals that catching criminal behavior requires more than the best practices and perspectives of the past. There needs to be a fundamentally different approach to security protection starting with identifying and prioritizing key company assets across the entire value chain," said Kevin Richards, managing director of Accenture Security, North America. "It is also clear that the need for organizations to take a comprehensive end-to-end approach to digital security - one that integrates cyber defense deeply into the enterprise - has never been greater."

Accenture's survey highlights the conundrums of spend and breach, and confidence and failure, but doesn't explain them. SecurityWeek asked Richards for his thoughts. He suggests that one method of closing the gap on the cybercriminals would be to become as efficient at sharing threat data as the criminals have become at sharing vulnerability and exploit data. "It is beginning," he said; but it needs to improve.

The apparent over-confidence in the effectiveness of security controls despite the continuing and increasing volume of breaches is complicated. There could be an element of what is known as the 'optimism bias' -- the tendency to believe that bad things only happen to other people. However, Richards also believes it to be a side-effect of board-level awareness of security. Leadership awareness is good; but it means that security practitioners are increasingly asked to explain security issues to the board.

Since it is difficult, and potentially career-threatening, to tell the CEO that despite all the money spent on security the organization remains at risk, there is a natural tendency to put a positive slant on the true situation. This is a problem that most CISOs readily accept: the difficulty in communicating genuine information to the board.

There is nothing new in Accenture's advice on solving the conundrums. "To succeed, CISOs have to step beyond their comfort zones and materially engage with enterprise leadership," says the survey report. "Doing so will require them to speak the language of business to make the case that the security team is a critical pillar in the battle to protect enterprise value." But what the survey does show is that CISOs and C-Suite have not yet solved the difficulties inherent in this good advice.

Related: Attend SecurityWeek's 2017 CISO Forum

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.