Regulations, ROI and critical technology – how the C-suite should approach information security
Over the course of the last few months, information security has dominated headlines across the media. High profile cyber breaches, pressing EU regulation, educational policy changes and a generational gap in information security skills are all triggers behind intensified board level engagement on the subject.
However, a lack of understanding around the threat to cyber security, at the board level, remains one of the most significant challenges for organisations. In fact, a recent study by KPMG found that board communication remains the biggest threat to cyber risk awareness. The study found that only 55% of board member said they understood the potential impact of losing their companies key information and data assets while 65% said they rarely, or never, reviewed the risk management around valuable company information.
The responsibilities of the C-suite
An interesting discussion that is generating a lot of noise is in the board room is whether or not CISOs should have a technical background. There is an argument to suggest CISOs with a technical background can get consumed with detail and be unable to communicate clearly to the board; the most salient risks, costs and the organisational impact of vulnerabilities. Alternatively, the ability for a CISO to translate technology responses and risks – with the ability to challenge advice from staff and suppliers – at a senior level could be a differentiator amidst a climate of frequent security hacks.
Perhaps a larger concern, and issue we have observed, is that boards are unsure of who is responsible for the security of the organisation’s data assets. A recent information security event, ‘Defending the Network or Protecting the Business’, involved a lot of discussion between senior board members around this topic. Ultimately, there is a collective responsibility among the CEOs, CTOs, CIOs, CISOs and COOs to ensure that the appropriate investment, technologies, risk assessment, communications and defences are set in place to define - and provide a solution for - the threat of an organisation’s most valuable data assets being exposed.
Whether board members have a technical understanding of the security vulnerabilities that they face or not, they must agree on the need to properly assess the threats, risks, costs and implications of a breach of their systems.
Emerging technologies equal emerging threats
Furthermore, as businesses adopt new and emerging technologies, the implications of a cyber security breach are reaching critical mass. For example, a recent story in the news reported that two million cars using wireless insurance dongles had major security vulnerabilities that made them an easy target for cyber attacks, this could result in hackers being able to breach the cars control systems and completely take over the vehicle.
Cybercriminals are developing and advancing attack software at a quicker pace than organisations can protect their data assets and until the board begin to understand the reality of the threats, the development of information security will continue to be insufficient. Businesses must balance their adoption of essential technologies such as IoT and big data while defending their network and protecting their business and brand.
Challenges facing the board
The external cyber security implications for business are not all threat related however. There are two impending EU data protection laws, the Network and Information Security (NIS) directive and the General Data protection Regulation (GDPR), that affect all organisations operating in the EU that process data of EU residents.
In a recent survey, anti-malware expert FireEye found that 39% of organisations in the UK, Germany and France are not prepared for these laws. The survey found that significant fears were over the proposed fines (58%), potential damage to business reputation (57%) and loss of business and/or revenue (58%).
As boards increase their engagement in their cyber security programmes, they are seeking knowledge on the appropriate talent required to mitigate threats facing them. For example, do they need threat analysts and threats monitors to assess what their vulnerabilities are and the cost and implications of a breach? Or do they need third party security consultants to plan and implement cyber security safeguards?
Skills gap
In the background to this, a study predicted demand for cyber-skills is set to increase 23% each year until 2025. The Information Systems Security Association (ISSA) forecasted there is between 300,000 and 1,000,000 vacant cyber security positions worldwide.
The systemic need for STEM skills across web technology, analytics, IT and digital sectors means that the information security industry will have to compete for an already highly in-demand pool of skilled talent.
However, significant efforts are being made to reduce the gap in cyber security skills at governmental and industry level. GCHQ has approved four new cyber security masters degrees with a further two pending, which the department are going to continually renew to generate demand for cyber security careers. While the ISSA have developed the Cybersecurity Career Lifecycle (CSCL) to clearly define the cyber security career to attract existing professionals and new talent to the industry.
It is vital, however, that the C-suite equally invests in cyber security initiatives to secure the right talent to protect their businesses on a short and long term basis. As the gap in skilled talent in the information security industry continues to expand, businesses are leaving themselves more exposed than ever. It is fundamental that the board begin to understand both the internal and external threats facing their most valued information assets.
Sourced from Mark Braund, Interquest Group
