SlideShare a Scribd company logo

Tripwire_UK_Executive_Cybersecurity_Literacy_Survey

‱
‱
Melloney Jewell
Melloney Jewell
1 of 9
Download to read offline
CONFIDENCE: SECURED UNITED KINGDOM EXECUTIVE CYBERSECURITY LITERACY SURVEY ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE
2CONFIDENCE: SECURED 2CONFIDENCE: SECURED Organisations have made significant cybersecurity investments to improve their network defenses, yet many cyberattacks still remain undetected for months, and large-scale public breaches continue to dominate the news cycle. It’s well understood in the security indus- try that for every breach made public there are many more that go unreported because they either haven’t yet been detected or don’t affect consumer data or critical infrastructure, and as such, do not require disclosure. Leading companies tend to treat cyber risks in the same way they do other critical risks — primarily in terms of a risk/reward trade-off. However, the sophistication of security attacks facing corporations today outstrips basic defenses, and as the complexity of these attacks increases, so does the risk they pose to corporations. In addition, deploying cost-effective business technologies may affect resource investment calculations for security, and these competing business pressures mean that conscientious and comprehensive oversight of cybersecurity risk at the board level is essential. It can be difficult, however, for technical executives to accurately convey the changing shape of cybersecurity risks to non-technical executives. In May 2015, Tripwire sponsored a study of 101 C-level executives and directors as well as 176 IT professionals from U.K. organisa- tions with annual revenues over £500 million to better understand the challenges facing organisations that are trying to better manage cybersecurity risks. The study evaluated the attitudes as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. United Kingdom Executive Cybersecurity Literacy Survey PREV PAGE NEXT PAGE PREV PAGE NEXT PAGE
3CONFIDENCE: SECURED Demographics PREV PAGE NEXT PAGE
4CONFIDENCE: SECURED Key Findings “It’s surprising that so many executives give their boards a passing grade on cybersecurity, and may reflect wishful thinking on their part,” said Dwayne Melançon, chief technology officer for Tripwire. “However, boards are likely to evaluate cybersecurity risks from the perspective of defensible legal standards, and while this may be a useful exercise, it doesn’t help determine acceptable levels of cybersecurity risk that can be used to guide day-to-day decision making.” “There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Melançon. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business-critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they don’t fully understand the business impact of these risks.” PREV PAGE NEXT PAGE
5CONFIDENCE: SECURED Key Findings “I’m surprised that the percentage of IT security professionals who are ‘not concerned’ is so high,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “The results indicate that IT Professionals believe their boards are literate and are also getting the information they need. It also appears that many IT professionals aren’t getting feedback from the board on shared information. The communication appears to be largely one-way.” PREV PAGE NEXT PAGE
6CONFIDENCE: SECURED Key Findings “These responses indicate that cybersecurity isn’t a tool problem, as IT Professionals and executives overwhelmingly believe they have the tools necessary,” said Erlin. “Since respondents believe they have tools and data in place, but breaches continue to grow, this really does appear to be a literacy problem.” “Most organisations are not struggling with tools,” said Melançon. “They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk.” PREV PAGE NEXT PAGE
7CONFIDENCE: SECURED “When it comes to breach data, it’s clear that customer data has the spotlight,” said Erlin. “Executives are overwhelmingly aware of the risk that exposing customer data poses, in part because it’s quantifiable, and in part because it’s newsworthy. A breach with customer data invokes data breach notification laws and potential fines in some environments. It also makes headlines and drives lawsuits. While losing trade secrets is a risk, it’s harder to model the outcomes.” Key Findings PREV PAGE NEXT PAGE
8CONFIDENCE: SECURED “Outside of a breach to their own organisation, respondents were largely influenced at the same level by high-profile incidents and vulnerabilities,” said Erlin. “The commonality is the media profile of an event rather than any intrinsic qualities of the event itself. Ultimately, all risk is personal, and there’s nothing like a personal breach to bring home the impact of cybersecurity.” “Executives and IT security teams have dramatically improved their ability to communicate cybersecurity risk to boards, but the key is to make cybersecurity actionable before a breach,” said Melançon. “Confidence in communication with the board is a great first step, but effective communication that moves cybersecurity up the list of business priorities is the objective.” Conclusion PREV PAGE NEXT PAGE
u Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER ©2015 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. 2BRUKECLS1a 201506 PREV PAGE

Recommended

Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Sarah Nirschl
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
RamĂłn GĂłmez de Olea y Bustinza
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
Booz Allen Hamilton
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 

Recommended

Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Sarah Nirschl
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
Tripwire
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
RamĂłn GĂłmez de Olea y Bustinza
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
Scientia Groups
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
Booz Allen Hamilton
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
EMC
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
S-RM Risk and Intelligence Consulting
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
Marko Suswanto
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
at MicroFocus Italy ❖✔
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
Santiago Cavanna
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny NĂ€sslander
 
University-of-Miami_MEDINA
University-of-Miami_MEDINAUniversity-of-Miami_MEDINA
University-of-Miami_MEDINA
Kelvin Medina, CISSP, PA-QSA, QSA, GCIH, CISA, ITIL
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
Steven_Jackson
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
Joseph DeFever
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
Karyl Scott
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
Dominic Vogel
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
Yigal Behar
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate Boards
Cheffley White
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
Accenture Insurance
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
Paul Melson
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
Adela Cocic
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
Lumension
 
Tripwire Enterprise 8.3 Professional
Tripwire Enterprise 8.3 ProfessionalTripwire Enterprise 8.3 Professional
Tripwire Enterprise 8.3 Professional
Steven Ostrov
 
Presentation
PresentationPresentation
Presentation
Vijayeandra Parthepan
 
Tripwire
TripwireTripwire
Tripwire
Anang Sunny
 

More Related Content

What's hot

Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
at MicroFocus Italy ❖✔
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
Bill Besse
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
Yigal Behar
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
Adela Cocic
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
Lumension
 

What's hot (19)

Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
University-of-Miami_MEDINA
University-of-Miami_MEDINAUniversity-of-Miami_MEDINA
University-of-Miami_MEDINA
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate Boards
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
State of endpoint risk v3
State of endpoint risk v3State of endpoint risk v3
State of endpoint risk v3
 

Viewers also liked

Tripwire Enterprise 8.3 Professional
Tripwire Enterprise 8.3 ProfessionalTripwire Enterprise 8.3 Professional
Tripwire Enterprise 8.3 Professional
Steven Ostrov
 
Tripwire
TripwireTripwire
Tripwire
Anang Sunny
 
TRIP WIRE
TRIP WIRETRIP WIRE
TRIP WIRE
praveen369
 

Viewers also liked (6)

Tripwire Enterprise 8.3 Professional
Tripwire Enterprise 8.3 ProfessionalTripwire Enterprise 8.3 Professional
Tripwire Enterprise 8.3 Professional
 
Presentation
PresentationPresentation
Presentation
 
Tripwire
TripwireTripwire
Tripwire
 
tripwire
tripwiretripwire
tripwire
 
TRIP WIRE
TRIP WIRETRIP WIRE
TRIP WIRE
 
Tripwire
TripwireTripwire
Tripwire
 

Similar to Tripwire_UK_Executive_Cybersecurity_Literacy_Survey

eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
Kashif Ali
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
Daren Dunkel
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
Luke Farrell
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 

Similar to Tripwire_UK_Executive_Cybersecurity_Literacy_Survey (20)

Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks ReportHBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
HBR - Zurich - FERMAZ - PRIMO Cyber Risks Report
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
 
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013Under cyber attack: EY's Global information security survey 2013
Under cyber attack: EY's Global information security survey 2013
 
Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industry
 

Tripwire_UK_Executive_Cybersecurity_Literacy_Survey

  • 1. CONFIDENCE: SECURED UNITED KINGDOM EXECUTIVE CYBERSECURITY LITERACY SURVEY ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE
  • 2. 2CONFIDENCE: SECURED 2CONFIDENCE: SECURED Organisations have made significant cybersecurity investments to improve their network defenses, yet many cyberattacks still remain undetected for months, and large-scale public breaches continue to dominate the news cycle. It’s well understood in the security indus- try that for every breach made public there are many more that go unreported because they either haven’t yet been detected or don’t affect consumer data or critical infrastructure, and as such, do not require disclosure. Leading companies tend to treat cyber risks in the same way they do other critical risks — primarily in terms of a risk/reward trade-off. However, the sophistication of security attacks facing corporations today outstrips basic defenses, and as the complexity of these attacks increases, so does the risk they pose to corporations. In addition, deploying cost-effective business technologies may affect resource investment calculations for security, and these competing business pressures mean that conscientious and comprehensive oversight of cybersecurity risk at the board level is essential. It can be difficult, however, for technical executives to accurately convey the changing shape of cybersecurity risks to non-technical executives. In May 2015, Tripwire sponsored a study of 101 C-level executives and directors as well as 176 IT professionals from U.K. organisa- tions with annual revenues over ÂŁ500 million to better understand the challenges facing organisations that are trying to better manage cybersecurity risks. The study evaluated the attitudes as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. United Kingdom Executive Cybersecurity Literacy Survey PREV PAGE NEXT PAGE PREV PAGE NEXT PAGE
  • 4. 4CONFIDENCE: SECURED Key Findings “It’s surprising that so many executives give their boards a passing grade on cybersecurity, and may reflect wishful thinking on their part,” said Dwayne Melançon, chief technology officer for Tripwire. “However, boards are likely to evaluate cybersecurity risks from the perspective of defensible legal standards, and while this may be a useful exercise, it doesn’t help determine acceptable levels of cybersecurity risk that can be used to guide day-to-day decision making.” “There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Melançon. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business-critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they don’t fully understand the business impact of these risks.” PREV PAGE NEXT PAGE
  • 5. 5CONFIDENCE: SECURED Key Findings “I’m surprised that the percentage of IT security professionals who are ‘not concerned’ is so high,” said Tim Erlin, director of IT risk and security strategy for Tripwire. “The results indicate that IT Professionals believe their boards are literate and are also getting the information they need. It also appears that many IT professionals aren’t getting feedback from the board on shared information. The communication appears to be largely one-way.” PREV PAGE NEXT PAGE
  • 6. 6CONFIDENCE: SECURED Key Findings “These responses indicate that cybersecurity isn’t a tool problem, as IT Professionals and executives overwhelmingly believe they have the tools necessary,” said Erlin. “Since respondents believe they have tools and data in place, but breaches continue to grow, this really does appear to be a literacy problem.” “Most organisations are not struggling with tools,” said Melançon. “They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk.” PREV PAGE NEXT PAGE
  • 7. 7CONFIDENCE: SECURED “When it comes to breach data, it’s clear that customer data has the spotlight,” said Erlin. “Executives are overwhelmingly aware of the risk that exposing customer data poses, in part because it’s quantifiable, and in part because it’s newsworthy. A breach with customer data invokes data breach notification laws and potential fines in some environments. It also makes headlines and drives lawsuits. While losing trade secrets is a risk, it’s harder to model the outcomes.” Key Findings PREV PAGE NEXT PAGE
  • 8. 8CONFIDENCE: SECURED “Outside of a breach to their own organisation, respondents were largely influenced at the same level by high-profile incidents and vulnerabilities,” said Erlin. “The commonality is the media profile of an event rather than any intrinsic qualities of the event itself. Ultimately, all risk is personal, and there’s nothing like a personal breach to bring home the impact of cybersecurity.” “Executives and IT security teams have dramatically improved their ability to communicate cybersecurity risk to boards, but the key is to make cybersecurity actionable before a breach,” said Melançon. “Confidence in communication with the board is a great first step, but effective communication that moves cybersecurity up the list of business priorities is the objective.” Conclusion PREV PAGE NEXT PAGE
  • 9. u Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER ©2015 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. 2BRUKECLS1a 201506 PREV PAGE