The Accountability Gap: Getting Business to Understand Security

A new survey and report from Tanium and NASDAQ, using a research team from Goldsmiths, University of London, seeks to quantify organizations’ cyber security vulnerability.

The resarch was done by first defining seven inherent challenges and then surveying 1,530 non-executive directors (NEDs), CISOs and CIOs from the US, UK, Germany, the Nordic countries, and Japan. The seven categories that comprise cybersecurity vulnerability are cyber literacy, risk appetite, threat intelligence, legislation & regulation, network resilience, response, and behavior.

The bottom-line conclusions from the response analysis will surprise no-one involved in cyber security – only 10% of respondents have a low level of vulnerability. The vast majority of organizations (80%) are deemed to have “a medium level of vulnerability.”

This is mirrored in the report detail. For example, only 13% of the most vulnerable NEDs are briefed regularly on cybersecurity legislation and regulation, and just 8% are regularly briefed on current threats. This compares to 100% and 96% respectively for the least vulnerable. There is a close correlation between poor information exchange between Business and Security and a poor security posture.

However, knowing there is a problem, and knowing what to do about it, are two different things.

The real difficulty is in getting Business to accept that it needs to understand Security. Writing in CityAM, Dr. Chris Brauer, director of innovation in the Institute of Management Studies at Goldsmiths, University of London, accepts the difficulty: “There is a marked hesitance to speak up among those NEDs who didn’t consider themselves knowledgeable about “cyber”. Most are not digital natives and there is a common culture of complacency – often a “leave that to the techies” spirit – and an over-reliance on specialist advice.”

Orion Hindawi, Co-founder & CEO at Tanium, agrees with this basic problem: the study found “a worrying gap between presumed and actual corporate readiness for data security incidents and a widespread lack of accountability at the top levels of organizations. That means that some of the world’s largest networks, holding some of our most precious data, are more vulnerable than their leaders believe.”

The report’s own primary conclusion is that organizations need to ‘create a culture of openness’. “Boards need to know what questions to ask in order to understand the state of cybersecurity of the business. These can be supplemented by detailed in-house or externally facilitated briefings for directors to ensure they have the skills to provide adequate oversight. Board members need to learn how to ask questions the same way they do for financial concerns and, in some cases, certain board members responsible for cyber should be given extended training.”

How to get to that culture of openness is the problem. In general, Business has no wish to understand Security, that’s what it pays CIOs and CISOs to do. CISOs know and grapple with this problem all the time and the reality is that it will most likely be solved by Security learning to speak Business, rather than Business learning to speak Security.

Related: Learn More at SecurityWeek’s CISO Forum