Is Your Firm Resting on its Security Laurels?

Amid the alarming explosion of malware, ransomware, phishing schemes, and other serious cyber threats, one of the greatest dangers to enterprise IT security has nothing to do with the latest bad actor. Instead the unlikely culprit often turns out to be overconfidence.

Clearly, there’s more awareness of cyber security than ever. Worldwide spending on information security products and services is expected to hit $86.4 billion this year, a 7% spike over 2016, according to Gartner. But investments in new cyber tools and talent don’t always translate into reducing risk, especially when companies fail to diligently attend to the security basics.

Unfortunately, top executives aren’t necessarily getting that message.

A recent Deloitte study found that more than three-quarters (76%) of C-level executives surveyed expressed high confidence in their firms’ ability to respond to cyber incidents despite serious gaps in their security posture. They felt their firms were meeting the mark for security readiness despite the fact that the majority had yet to document and test security response plans with business users (82%). Fewer than half (46%) conducted war games or simulations on any kind of regular basis, and one in five lacked clarity on their firms’ cyber mandates, roles, and responsibilities, the research found.

In a separate report, the IBM Institute for Business Value Survey revealed a similar disconnect: Sixty-five percent of the C-level execs surveyed expressed confidence that their security plans were “well established.” But only 17% of that same group met the standards for the highest levels of preparedness and capability.

Security professionals say executives aren’t willfully ignoring cyber threats. In fact, Gartner attributed the increased spending on cyber security to the greater appreciation of the dangerous nature of the threat landscape. But here’s where organizations need to resist getting lulled into a false sense of security by incorrectly equating bigger investments in security technology and services with adequate coverage.

“Just like when companies hire a director of diversity or chief inclusion officer, they bring on security people and think we’re okay,” said Joseph Adu, director of technology for the Fay School, a school in Southborough, Massachusetts which serves 475 students from kindergarten through grade nine on its 66-acre campus.

Make it Plain

The situation is harder to address with C-level management, according to Adu, who said senior executives can’t always properly evaluate risk because they lack visibility into what’s happening in the trenches.

In his role as security lead, Adu is committed to changing that dynamic. Over the last year, he has stepped up the pace of internal communication. Adu now conducts regular check-ins with the school’s top management to keep the brass apprised of security threats along with updates on what his team is doing to address the risks.

“It’s my responsibility to keep a finger on the pulse of the security landscape in the world around us and within our organization, including bringing up concerns and talking about how we can address them,” he said.

Adu and other security professionals caution not to bury executives in the technicalities of IT security. Rather, they suggest that organizations seek to frame the discussion of the risks and solutions in a language that everyone in the organization can understand: the financial impact on the business.

At the same time, they underscore the need to communicate plainly the range of potential risks. Both senior executives as well as rank-and-file employees need to hear vivid examples of incidents that underscore the long-term impact of leaked data on an organization. What’s more, they stress the need for ongoing training that helps everyone understand that cyber security is a moving target, not a one-and-done exercise.

In practice, this requires both time and repetition.

Chiranjoy Das, CIO of Simple Tire, an online supplier of vehicle tires, runs everything from the cloud and so is highly dependent on the security capabilities offered by providers, such as Amazon AWS. But just because a big supplier is on the hook for protecting users from attack, Das isn’t taking chances.

His take is that sometimes overconfidence is more about being complacent and thinking you have the bases covered when you really don’t. That’s why Simple Tire runs regular validation testing to expose potential holes and follows AWS recommendations so security is built into their code.

Even so, he knows they aren't - and never will be - 100% covered. But Das is okay with that because he knows where the gaps are. That’s not being complacent and certainly not over confident. He calls it being pragmatic.

“We know our security capabilities,” said Das. “We’re in a fairly good place compared to many others.”