Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/30/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Most CISOs Say Cyber Attacks Are Inevitable

The Kaspersky Lab report says that while the relationship between executives and CISOs is improving, there continues to be a disconnect around such issues as budgets and the risk of threats.

The bulk of companies' top security officials believe that cybersecurity breaches are inevitable, according to a report by Kaspersky Lab that also highlighted the changing roles of CISOs and their uneasy relationships with other C-level executives.

The report, "What It Takes to Be a CISO: Success and Leadership in Corporate IT Security," paints a picture of chief information security officers under increasing pressure to protect their companies against attacks that are extremely difficult to prevent while often lacking the financial resources they say they need and vying with other departments for budgets.

In addition, while many feel they are adequately involved in the business-decision process, their roles in defending against cybersecurity attacks may not be a high enough priority, according to Kaspersky researchers.

(Source: iStock)
(Source: iStock)

However, while there may be ongoing tension in the CISO's relationship with other top executives regarding budgets and the reality of today's modern security environment, things seem to be improving, even if only gradually.

"Although a number of studies have been released quantifying the impact of a breach, the ROI of IT security expenditure can still be hard to argue, as most calculations include probabilities and assumptions on the damage caused by breaches, including direct financial losses and the costs associated with reputational losses," Andrey Pozhogin, cybersecurity expert at Kaspersky, told Security Now in an email. "Therefore, there continues to be some disconnect between top-level management and CISOs in regards to security expectations."

However, Pozhogin said, overall the relationship between executives and CISOs has strengthened in recent years. He noted as an example that "the portion of IT budgets spent on security has increased in North America over the past year, for both enterprises and SMBs. This is evidence that cybersecurity is becoming more of a boardroom issue and a priority for companies of all sizes."

The survey, conducted by PAC for Kaspersky, questioned 250 IT decision makers in the manufacturing and service sectors earlier this year. Among the key findings is that 84% of CISOs in North America said that cyberbreaches are inevitable, listing ransomware, phishing, general malware and Trojans as among the most difficult types of attacks to respond to. Forty percent said financially motivated criminal gangs were the largest IT security risk, followed by malicious insider attacks (29%), and that such attacks were very difficult to prevent.

The ongoing digital transformation within most companies only heightens the risk of cybersecurity threats. The cloud and the uncontrolled cloud expansion by lines-of-business was cited by survey respondents as the top security risk, followed by social networks and mobility, all key factors in increasingly digital businesses. They also listed complex infrastructures involving the cloud and mobility, managing personal data and sensitive information, and the increase in cyber attacks as the top challenges CISOs face.

(Source: Kaspersky Lab)
(Source: Kaspersky Lab)

Kaspersky researchers note that the trend toward digital transformation should mean that cybersecurity becomes a top priority, which should lead to the CISO evolving to becoming more influential in important business decisions. Pozhogin added that 58% of CISOs said they are adequately involved in decision-making, an indication that their influence is growing.

"However, in addition to just involvement, it is important that security leaders are a part of the organizational hierarchy," he said. "Having a CISO at the executive level is still only typical in enterprises that are highly digital, highly sensitive or very large, and in North America, just 40 percent of cybersecurity managers are part of the C-suite. While the trend is headed in the right direction, there is still plenty of room to grow."

Other cybersecurity vendors have echoed the sentiment.

Trend Micro researchers in September noted that despite the rapid growth worldwide in the number of intelligent connected devices, only 38% of Internet of Things projects include input from CISOs and other IT security professionals. (See Why CISOs Need a Seat at the IoT Projects Table.)

There also is a disconnect between CISOs and executives regarding budgets. Budgets are growing -- 60% of CISOs in North America expect to see increases -- but getting the money they believe they need is difficult. There is no clear ROI that can be presented to executive teams for security spending and security professionals can't guarantee 100% protection from cyber threats. Thirty-six percent of CISOs surveyed said not being able to promise there won't be a breach has led to them not being able to get the security budgets they believe they need.

This is despite the growing understanding of the damage a breach can do to a company, both financially and to their reputations. Gemalto researchers found that the number of records breached in the first half of 2018 jumped 133% compared to the first six months last year, to 4.5 billion records. In addition, reports by CompariTech and Kaspersky found that data breaches can impact companies' long-term stock prospects and even cost C-level executives their jobs. (See Gemalto: 4.5B Records Breached in First Half of 2018.)

"The misalignment between CISOs and other executives most often happens because of a failure to clearly communicate the risk of an attack and its potential impact on the company's bottom line," Pozhogin said. "CISOs being experts in information technology and security tend to better understand the threat landscape and potential implications of each specific threat targeting their network. Other executives do not always have the same depth of understanding and the same level of operational insight, and thus they may downplay the risks, hoping that a minimal investment will suffice to establish a strong enough layer of defense."

Executives also tend to rely on "hope for the better," falling victim to the misconception that some industries are less likely to draw the same level of attention from attackers as others because there's nothing to steal and that companies that fall victim to a breach are targeted for reasons that aren't relevant to their own organization, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27314
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
CVE-2019-18630
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
CVE-2021-25344
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
CVE-2021-25345
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
CVE-2021-25346
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.