2. 2CONFIDENCE: SECURED 2CONFIDENCE: SECURED
Organisations have made significant cybersecurity investments to improve their network defenses, yet many cyberattacks still remain
undetected for months, and large-scale public breaches continue to dominate the news cycle. Itâs well understood in the security indus-
try that for every breach made public there are many more that go unreported because they either havenât yet been detected or donât
affect consumer data or critical infrastructure, and as such, do not require disclosure.
Leading companies tend to treat cyber risks in the same way they do other critical risks â primarily in terms of a risk/reward trade-off.
However, the sophistication of security attacks facing corporations today outstrips basic defenses, and as the complexity of these attacks
increases, so does the risk they pose to corporations. In addition, deploying cost-effective business technologies may affect resource
investment calculations for security, and these competing business pressures mean that conscientious and comprehensive oversight of
cybersecurity risk at the board level is essential. It can be difficult, however, for technical executives to accurately convey the changing
shape of cybersecurity risks to non-technical executives.
In May 2015, Tripwire sponsored a study of 101 C-level executives and directors as well as 176 IT professionals from U.K. organisa-
tions with annual revenues over ÂŁ500 million to better understand the challenges facing organisations that are trying to better manage
cybersecurity risks. The study evaluated the attitudes as they relate to cybersecurity risk decision-making and communication between
IT security professionals, executive teams and boards.
United Kingdom Executive Cybersecurity Literacy Survey
PREV
PAGE
NEXT
PAGE
PREV
PAGE
NEXT
PAGE
4. 4CONFIDENCE: SECURED
Key Findings
âItâs surprising that so many executives give their boards a passing grade
on cybersecurity, and may reflect wishful thinking on their part,â said
Dwayne Melançon, chief technology officer for Tripwire. âHowever, boards
are likely to evaluate cybersecurity risks from the perspective of
defensible legal standards, and while this may be a useful exercise, it
doesnât help determine acceptable levels of cybersecurity risk that can be
used to guide day-to-day decision making.â
âThereâs a big difference between cybersecurity awareness and
cybersecurity literacy,â said Melançon. âIf the vast majority of executives
and boards were really literate about cybersecurity risks, then spear
phishing wouldnât work. I think these results are indicative of the growing
awareness that the risks connected with cybersecurity are business-critical,
but it would appear the executives either donât understand how much they
have to learn about cybersecurity, or they donât want to admit that they
donât fully understand the business impact of these risks.â
PREV
PAGE
NEXT
PAGE
5. 5CONFIDENCE: SECURED
Key Findings
âIâm surprised that the percentage of IT security professionals who are ânot concernedâ is so high,â said Tim Erlin,
director of IT risk and security strategy for Tripwire. âThe results indicate that IT Professionals believe their boards
are literate and are also getting the information they need. It also appears that many IT professionals arenât
getting feedback from the board on shared information. The communication appears to be largely one-way.â
PREV
PAGE
NEXT
PAGE
6. 6CONFIDENCE: SECURED
Key Findings
âThese responses indicate that cybersecurity isnât a tool problem, as IT
Professionals and executives overwhelmingly believe they have the tools
necessary,â said Erlin. âSince respondents believe they have tools and data
in place, but breaches continue to grow, this really does appear to be a
literacy problem.â
âMost organisations are not struggling with tools,â said Melançon. âThey
are instead struggling with finding the right vocabulary and information to
accurately portray cybersecurity risk to their boards, and they are trying to
find the right balance of responsibility and oversight for this critical
business risk.â
PREV
PAGE
NEXT
PAGE
7. 7CONFIDENCE: SECURED
âWhen it comes to breach data, itâs clear that customer data has the
spotlight,â said Erlin. âExecutives are overwhelmingly aware of the risk
that exposing customer data poses, in part because itâs quantifiable, and
in part because itâs newsworthy. A breach with customer data invokes
data breach notification laws and potential fines in some environments. It
also makes headlines and drives lawsuits. While losing trade secrets is a
risk, itâs harder to model the outcomes.â
Key Findings
PREV
PAGE
NEXT
PAGE
8. 8CONFIDENCE: SECURED
âOutside of a breach to their own organisation, respondents were largely
influenced at the same level by high-profile incidents and vulnerabilities,â
said Erlin. âThe commonality is the media profile of an event rather than
any intrinsic qualities of the event itself. Ultimately, all risk is personal,
and thereâs nothing like a personal breach to bring home the impact of
cybersecurity.â
âExecutives and IT security teams have dramatically improved their ability
to communicate cybersecurity risk to boards, but the key is to make
cybersecurity actionable before a breach,â said Melançon. âConfidence in
communication with the board is a great first step, but effective
communication that moves cybersecurity up the list of business priorities
is the objective.â
Conclusion
PREV
PAGE
NEXT
PAGE