Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/30/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Most CISOs Say Cyber Attacks Are Inevitable

The Kaspersky Lab report says that while the relationship between executives and CISOs is improving, there continues to be a disconnect around such issues as budgets and the risk of threats.

The bulk of companies' top security officials believe that cybersecurity breaches are inevitable, according to a report by Kaspersky Lab that also highlighted the changing roles of CISOs and their uneasy relationships with other C-level executives.

The report, "What It Takes to Be a CISO: Success and Leadership in Corporate IT Security," paints a picture of chief information security officers under increasing pressure to protect their companies against attacks that are extremely difficult to prevent while often lacking the financial resources they say they need and vying with other departments for budgets.

In addition, while many feel they are adequately involved in the business-decision process, their roles in defending against cybersecurity attacks may not be a high enough priority, according to Kaspersky researchers.

However, while there may be ongoing tension in the CISO's relationship with other top executives regarding budgets and the reality of today's modern security environment, things seem to be improving, even if only gradually.

"Although a number of studies have been released quantifying the impact of a breach, the ROI of IT security expenditure can still be hard to argue, as most calculations include probabilities and assumptions on the damage caused by breaches, including direct financial losses and the costs associated with reputational losses," Andrey Pozhogin, cybersecurity expert at Kaspersky, told Security Now in an email. "Therefore, there continues to be some disconnect between top-level management and CISOs in regards to security expectations."

However, Pozhogin said, overall the relationship between executives and CISOs has strengthened in recent years. He noted as an example that "the portion of IT budgets spent on security has increased in North America over the past year, for both enterprises and SMBs. This is evidence that cybersecurity is becoming more of a boardroom issue and a priority for companies of all sizes."

The survey, conducted by PAC for Kaspersky, questioned 250 IT decision makers in the manufacturing and service sectors earlier this year. Among the key findings is that 84% of CISOs in North America said that cyberbreaches are inevitable, listing ransomware, phishing, general malware and Trojans as among the most difficult types of attacks to respond to. Forty percent said financially motivated criminal gangs were the largest IT security risk, followed by malicious insider attacks (29%), and that such attacks were very difficult to prevent.

The ongoing digital transformation within most companies only heightens the risk of cybersecurity threats. The cloud and the uncontrolled cloud expansion by lines-of-business was cited by survey respondents as the top security risk, followed by social networks and mobility, all key factors in increasingly digital businesses. They also listed complex infrastructures involving the cloud and mobility, managing personal data and sensitive information, and the increase in cyber attacks as the top challenges CISOs face.

Kaspersky researchers note that the trend toward digital transformation should mean that cybersecurity becomes a top priority, which should lead to the CISO evolving to becoming more influential in important business decisions. Pozhogin added that 58% of CISOs said they are adequately involved in decision-making, an indication that their influence is growing.

"However, in addition to just involvement, it is important that security leaders are a part of the organizational hierarchy," he said. "Having a CISO at the executive level is still only typical in enterprises that are highly digital, highly sensitive or very large, and in North America, just 40 percent of cybersecurity managers are part of the C-suite. While the trend is headed in the right direction, there is still plenty of room to grow."

Other cybersecurity vendors have echoed the sentiment.

Trend Micro researchers in September noted that despite the rapid growth worldwide in the number of intelligent connected devices, only 38% of Internet of Things projects include input from CISOs and other IT security professionals. (See Why CISOs Need a Seat at the IoT Projects Table.)

There also is a disconnect between CISOs and executives regarding budgets. Budgets are growing -- 60% of CISOs in North America expect to see increases -- but getting the money they believe they need is difficult. There is no clear ROI that can be presented to executive teams for security spending and security professionals can't guarantee 100% protection from cyber threats. Thirty-six percent of CISOs surveyed said not being able to promise there won't be a breach has led to them not being able to get the security budgets they believe they need.

This is despite the growing understanding of the damage a breach can do to a company, both financially and to their reputations. Gemalto researchers found that the number of records breached in the first half of 2018 jumped 133% compared to the first six months last year, to 4.5 billion records. In addition, reports by CompariTech and Kaspersky found that data breaches can impact companies' long-term stock prospects and even cost C-level executives their jobs. (See Gemalto: 4.5B Records Breached in First Half of 2018.)

"The misalignment between CISOs and other executives most often happens because of a failure to clearly communicate the risk of an attack and its potential impact on the company's bottom line," Pozhogin said. "CISOs being experts in information technology and security tend to better understand the threat landscape and potential implications of each specific threat targeting their network. Other executives do not always have the same depth of understanding and the same level of operational insight, and thus they may downplay the risks, hoping that a minimal investment will suffice to establish a strong enough layer of defense."

Executives also tend to rely on "hope for the better," falling victim to the misconception that some industries are less likely to draw the same level of attention from attackers as others because there's nothing to steal and that companies that fall victim to a breach are targeted for reasons that aren't relevant to their own organization, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.