For security to work most efficiently in any organization, everybody has to be on board. I don’t mean they have to simply support the idea of good security practices, rather, they must actually have awareness of the greatest threats and risks to the organization, recognize what security procedures are necessary to address those threats and risks, and understand how to prevent falling into security traps. I’d also say that the higher up the organizational ladder one goes, the more essential it is to know specific regulations and the direct impact of security violations. Turning a blind eye to security or willingly ignoring the consequences of a potential attack is inexcusable as we go into 2017.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iYet, a recent survey conducted by Liaison Technologies found that senior executives are uninformed about the security and privacy regulations that their organizations are required to follow; 47 percent admit they don’t even know what compliance standards are applicable to their specific organization or industry. Another 25 percent say they don’t know who within the organization is responsible for security matters. And this specific statistic really surprised me, as reported by CSO:
Just three percent of respondents said that PCI DSS applied to their organization, a number that Liaison says is "surprisingly small" because it is a security standard that "applies to all entities that store, process or transmit cardholder data."
I’m still shaking my head in disbelief over that statistic. PCI DSS, along with HIPAA, is among the most recognized regulations out there, and at the very least, it is something that anyone that allows credit and debit card transmissions should be familiar with.
The study goes on to pinpoint a possible reason why attention to security and privacy issues, especially as they correspond to compliance regulations, is so low: 85 percent don’t think their job is at risk if there are compliance issues. Perhaps it is time to make leaders be more accountable for the cybersecurity incidents and mishandled compliance enforcement. At the very least, if they are going to assume a leadership position, they need to set an example for everyone else within the organization, as Travis Rosiek, CTO at Tychon, told SearchSecurity:
I think that it is important for C-level execs to lead by example; in many cases, I've seen executives not follow good security practices for various reasons, which impact the whole organization. What they don't realize is they are sending a message to the rest of the company that security and privacy [aren't] a corporate priority.
As Ryan Stolte, chief technology officer and co-founder of Bay Dynamics, told Forbes, if any other high-level employee, including members of the C-suite, walked into a board meeting with a poor performance, that person would be fired on the spot. It is time to set that same type of standard for security and privacy regulations and practices. Everyone in the organization has to recognize where the problems are, who the primary threats to steal the organization’s data are, and what compliances must be implemented, and it has to start at the top.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba