Earlier this week, Lancope and Ponemon Institute put out the report “Cyber Security Incident Response: Are we as prepared as we think?,” which found that corporate leaders remain in the dark when it comes to cybersecurity. According to the study:
In the past 24 months, most organizations represented in this study had at least one security incident and expect that another incident will occur in the near future. Most respondents agreed that the best thing that their organizations could do to mitigate future breaches is to improve their incident response capabilities.
However, while the respondents (674 IT and IT security professionals in the U.S. and the UK) mentioned that investment in security and response has remained static over the past two years, particularly when compared to other IT expenditures, the survey also revealed that upper-level management may not be as in-the-know about what goes on in IT security:
Another key observation is that C-Suite executives are often not informed about Computer Security Incident Response Team (CSIRT) activities. Only 20 percent of respondents say they very frequently or frequently communicate with executive management about potential cyberattacks or threats against the organization.
The study also found that a very low number of executives are active participants in the response process.
As I read over the survey, I realized I had heard this story before. Many times. As far back as 2009, Ponemon did a study that found that executives do care about cybersecurity, but their staffs are not communicating details about the types of security problems and where they exist.
The Target and Neiman Marcus breaches and the public response by those companies spotlight why there needs to be better communication with IT and executives about cybersecurity and incident response. This survey raises the question about whether or not the CEOs of those two companies, or any C-level executive in a company that has suffered a breach, even knew they were under attack until long after the fact.
Mike Potts, president and CEO of Lancope, said in a statement:
If 2013 is any indication, today’s enterprises are ill-equipped to identify and halt sophisticated attacks launched by nation-states, malicious outsiders and determined insiders. Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response.
Now is also the time to learn why IT personnel seem so reluctant to communicate breaches with executive staff. The breaches and attacks on the company network will happen, and over half of those surveyed expect to experience a breach within the next year. But if the folks handling the budget aren’t aware of the concerns and the realities, cybersecurity and incident response will continue to take a backseat in funding.