Study finds C-Suite overconfident about network security
By Gary Stoller, ThirdCertainty
Like the arrogant Russian computer hacker who liked to declare “I am invincible” before his demise in the 1995 James Bond film GoldenEye, top executives are mistakenly pounding their chests about the effectiveness of their companies’ cybersecurity.
A new study by cybersecurity analytics company RedSeal reveals that nearly 60 percent of 350 C-level executives surveyed believe they can “truthfully assure” their boards of directors “beyond a reasonable doubt” that their organization is secure.
“It’s remarkable,” says RedSeal Chairman and CEO Ray Rothrock, “how many executives say their networks are secure until we drill down into the issue, and it becomes obvious not only that there are vulnerabilities, but also that many organizations have no idea where those weak spots are.”
Industry studies—such as FireEye’s 2014 report Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model—show that network breaches occur at up to 97 percent of all companies.
Infographic: In C-Suite, security often isn’t strategic
A report released in May by market analytics firm Juniper Research predicted that data breaches will cost the global economy $2.5 trillion by 2019—nearly four times more than this year.
Perception and reality don’t match
Yet, the new RedSeal study apparently shows that top executives feel their companies are impervious to the increasing cyber attacks. “Corporate executives likely feel that since they spend so much time and money to harden their networks, they must be secure,” says Steve Timmerman, RedSeal vice president for corporate marketing and business development.
Security overconfidence can cause many problems for a company, Timmerman says. Overconfident executives could assign responsibility for the company’s cybersecurity program below the board level and provide inadequate security resources, he says. Overconfidence also could lead to complacent security management, more frequent and significant breaches, and legal concerns.
Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction
The RedSeal survey was conducted this year, and all 350 executives who responded led organizations with more than 250 employees. At least 20 percent of respondents led organizations with more than 1,000 employees.
Less than one-third who responded said they have full visibility into their global network, and 86 percent acknowledge gaps in their ability to see and understand what’s really happening inside their network.
RedSeal officials say the study shows corporate executives have “a lack of understanding about what strategic security actually entails.” The study also shows, RedSeal officials say, that “to ensure optimal security, organizations need a strategic approach that blends top-tier technologies with operations and policies that enable full network transparency.”
Other survey results:
- 79 percent of respondents admitted it is impossible to effectively secure what can’t be seen and understood.
- 29 percent said they knew “for a fact that their network is currently under attack by hackers.”
- Nearly half of respondents said security is strategic to their business.
- 72 percent said security products such as antivirus software and firewalls are necessary, but not strategic to their business.
- 94 percent said that “If I could clearly understand all the possible ways attackers can get in and out of my network—with clear, simple instructions about what should be fixed first, second, third, etc.—that, to me, would be a strategic security solution and critical capability.”
Results of the RedSeal study should send a message to corporate executives to probe “their organization’s security infrastructure and practices to understand the real story—since claims can be unjustifiably optimistic,” Timmerman says.
“Properly securing a network starts with having full visibility of that network,” he says. “Building a fully functioning model of the network, testing that model to identify security gaps, and prioritizing actions to address those gaps is fundamental to achieving network resilience, and, ultimately, building a solid defense against cyber threats.”
More on emerging best practices
3 steps for figuring out if your business is secure
5 steps to secure cryptography keys, digital certificates
6 steps for stopping hacks via a contractor or supplier