When you read that more than 90 percent of corporate executives said they cannot read a cybersecurity report it makes you wonder what is going wrong with the way that the cyber security industry communicates threats and risks. Is cyber security still too overtly technical? Or is it that the executives in question don’t know who to take trusted advice from?
The 90 percent figure was from a survey performed by Goldsmiths and included responses from 1,530 non-executive directors and senior executives in the United States, United Kingdom, Germany, Japan and Nordic countries. CNBC posted this story to their website with the worrying analysis that the executives surveyed are also not prepared to handle a major attack. If this survey was 3 years old then maybe the figures would not be too alarming, but in the wake of so many high profile global cyber attacks making the news it does seem that there is still significant board room inertia to overcome in order for action to be taken.
Another statistic from the same survey indicated that there is a growing cybersecurity “accountability gap” as 40 percent of these executives admitted they didn’t feel responsible for the impact of a cyber attack. It appears that the responsibility for cyber security is still being handed over to the relevant technical teams, yet it has been repeatedly shown that cyber security is a company wide issue that requires leadership from the top with understanding and adherence to guidelines from all in an organisation. A collective awakening of executives is unlikely to happen, as many cyber professionals that I speak too would like to see, instead we will continue along this path of action only being taken once a breach has taken place; irrespective of the amount of warnings that the cyber industry may issue. This is disappointing to say the least as the cyber industry does not want to have an unjust reputation of being the “I told you so” voice in a post attack project team.
Perhaps one reason that executives are turning their heads away from cyber security is the potential cost. A popular misconception is that implementing cyber strategies and defences is going to cost significant amounts. There is no doubt that a cost will be incurred, but as CS Online pointed out this week with regard to cyber security spending – more does not necessarily mean better! They advocate the strategy that risks should be carefully and continuously monitored and re-assessed before spending any money on new defensive technologies.
Isn’t that obvious? Of course it is! We all make assessments before we spend money even if it’s choosing which salad to purchase at lunchtime, but again cyber security seems to fall into a collective blackspot where if money is thrown at the problem then hopefully it might go away. As cyber security is a dynamic risk, changing constantly, then spending on it should perhaps be seen in the same vein; ongoing based on risk analysis and threat intelligence.
The report from PWC, that CS Online refers to points out that almost half (47%) of respondents said that adding new technologies is their main spending priority, higher than all other initiatives. Only 24% said that cybersecurity strategy redesign is a priority, and as low as 15% see priority in cybersecurity knowledge sharing. It really does feel that so many organisations are really going about addressing their cyber security issues the wrong way.
Perhaps this is where the lessons that are being learned from the ongoing Panama Papers story can help. The 11.5 million confidential files belonging to Panamanian law firm Mossack Fonseca are being trawled through by investigative journalists in an embarrassing mass leak for the firm and its clients. The legal sector is seeing this as its ‘Edward Snowden Moment’ where a privileged insider has decided to drawdown a large volume of documents and pass them to the International Consortium of Investigative Journalism (ICIJ) – this means that it has been done in a very carefully staged managed manner. In the fullness of time more details on the actual mechanics of the leak will come to light and will make all those holding legal documents, especially those about high profile or high net worth individuals, reassess their strategies for protecting them. So perhaps that is the answer for all these executives who are ignoring the advice of the cyber security industry – talk to your solicitor about it see how they advise you to go about keeping your secrets secret.
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.