Study finds C-Suite overconfident about network security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Gary Stoller, ThirdCertainty

Like the arro­gant Russ­ian com­put­er hack­er who liked to declare “I am invin­ci­ble” before his demise in the 1995 James Bond film Gold­en­Eye, top exec­u­tives are mis­tak­en­ly pound­ing their chests about the effec­tive­ness of their com­pa­nies’ cybersecurity.

A new study by cyber­se­cu­ri­ty ana­lyt­ics com­pa­ny Red­Seal reveals that near­ly 60 per­cent of 350 C-lev­el exec­u­tives sur­veyed believe they can “truth­ful­ly assure” their boards of direc­tors “beyond a rea­son­able doubt” that their orga­ni­za­tion is secure.

Ray Rothrock, RedSeal chairman and CEO
Ray Rothrock, Red­Seal chair­man and CEO

It’s remark­able,” says Red­Seal Chair­man and CEO Ray Rothrock, “how many exec­u­tives say their net­works are secure until we drill down into the issue, and it becomes obvi­ous not only that there are vul­ner­a­bil­i­ties, but also that many orga­ni­za­tions have no idea where those weak spots are.”

Indus­try studies—such as FireEye’s 2014 report Cyber­se­cu­ri­tys Mag­inot Line: A Real-World Assess­ment of the Defense-in-Depth Mod­el—show that net­work breach­es occur at up to 97 per­cent of all companies.

Info­graph­ic: In C-Suite, secu­ri­ty often isn’t strategic

A report released in May by mar­ket ana­lyt­ics firm Juniper Research pre­dict­ed that data breach­es will cost the glob­al econ­o­my $2.5 tril­lion by 2019—near­ly four times more than this year.

Per­cep­tion and real­i­ty dont match

Steve Timmerman, RedSeal vice president for corporate marketing and business development
Steve Tim­mer­man, Red­Seal vice pres­i­dent for cor­po­rate mar­ket­ing and busi­ness development

Yet, the new Red­Seal study appar­ent­ly shows that top exec­u­tives feel their com­pa­nies are imper­vi­ous to the increas­ing cyber attacks. “Cor­po­rate exec­u­tives like­ly feel that since they spend so much time and mon­ey to hard­en their net­works, they must be secure,” says Steve Tim­mer­man, Red­Seal vice pres­i­dent for cor­po­rate mar­ket­ing and busi­ness development.

Secu­ri­ty over­con­fi­dence can cause many prob­lems for a com­pa­ny, Tim­mer­man says. Over­con­fi­dent exec­u­tives could assign respon­si­bil­i­ty for the company’s cyber­se­cu­ri­ty pro­gram below the board lev­el and pro­vide inad­e­quate secu­ri­ty resources, he says. Over­con­fi­dence also could lead to com­pla­cent secu­ri­ty man­age­ment, more fre­quent and sig­nif­i­cant breach­es, and legal concerns.

Free IDT911 white paper: Breach, Pri­va­cy and Cyber Cov­er­ages: Fact and Fiction

The Red­Seal sur­vey was con­duct­ed this year, and all 350 exec­u­tives who respond­ed led orga­ni­za­tions with more than 250 employ­ees. At least 20 per­cent of respon­dents led orga­ni­za­tions with more than 1,000 employees.

Less than one-third who respond­ed said they have full vis­i­bil­i­ty into their glob­al net­work, and 86 per­cent acknowl­edge gaps in their abil­i­ty to see and under­stand what’s real­ly hap­pen­ing inside their network.

Red­Seal offi­cials say the study shows cor­po­rate exec­u­tives have “a lack of under­stand­ing about what strate­gic secu­ri­ty actu­al­ly entails.” The study also shows, Red­Seal offi­cials say, that “to ensure opti­mal secu­ri­ty, orga­ni­za­tions need a strate­gic approach that blends top-tier tech­nolo­gies with oper­a­tions and poli­cies that enable full net­work transparency.”

Oth­er sur­vey results:

  • 79 per­cent of respon­dents admit­ted it is impos­si­ble to effec­tive­ly secure what can’t be seen and understood.
  • 29 per­cent said they knew “for a fact that their net­work is cur­rent­ly under attack by hackers.”
  • Near­ly half of respon­dents said secu­ri­ty is strate­gic to their business.
  • 72 per­cent said secu­ri­ty prod­ucts such as antivirus soft­ware and fire­walls are nec­es­sary, but not strate­gic to their business.
  • 94 per­cent said that “If I could clear­ly under­stand all the pos­si­ble ways attack­ers can get in and out of my network—with clear, sim­ple instruc­tions about what should be fixed first, sec­ond, third, etc.—that, to me, would be a strate­gic secu­ri­ty solu­tion and crit­i­cal capability.”

Results of the Red­Seal study should send a mes­sage to cor­po­rate exec­u­tives to probe “their organization’s secu­ri­ty infra­struc­ture and prac­tices to under­stand the real story—since claims can be unjus­ti­fi­ably opti­mistic,” Tim­mer­man says.

Prop­er­ly secur­ing a net­work starts with hav­ing full vis­i­bil­i­ty of that net­work,” he says. “Build­ing a ful­ly func­tion­ing mod­el of the net­work, test­ing that mod­el to iden­ti­fy secu­ri­ty gaps, and pri­or­i­tiz­ing actions to address those gaps is fun­da­men­tal to achiev­ing net­work resilience, and, ulti­mate­ly, build­ing a sol­id defense against cyber threats.”

More on emerg­ing best practices
3 steps for fig­ur­ing out if your busi­ness is secure
5 steps to secure cryp­tog­ra­phy keys, dig­i­tal certificates
6 steps for stop­ping hacks via a con­trac­tor or supplier

Posted in Cybersecurity, Data Security, News & Analysis