Organizations should pay greater attention to forming a strong security culture.
The cyber security landscape is ever evolving. While attackers are constantly probing on new vulnerabilities to exploit in corporate networks, technology and security leaders are being forced to take new, strategies to combat threats.
In view of this scenario, a 2019 State of Cyber security Study by cybersecurity association ISACA shows that only one-third of the cybersecurity leaders have high levels of confidence in their cybersecurity team’s ability to detect and respond to cyber threats. The study also observes owing to culture gap, lack of education and awareness and non-supportive senior management, a majority of the cyber crimes go unreported.
CISOs reporting structure needs a relook
The highest levels of confidence are correlated with teams that report directly into the CISO, and the lowest levels are correlated with teams reporting into the CIO. In other words, in most organizations the CISO himself reports to the technology head of the organization and in worse scenario, to someone with little knowledge of security or technology.
These findings indicate the confusion enterprises experience when structuring cyber security with information technology. A CIO’s main goal is managing and implementing information technology, which is substantially different than securing and protecting it. In this reporting structure, cyber security can fall to a secondary consideration, leading to a team’s lack of confidence to be cyber ready.
In fact, a higher percentage of respondents are confident in cyber security reporting to the CEO than to the CIO. However, very few organizations have this kind of structure.
Frank Downs, director of ISACA’s cybersecurity practices mentions, “When the cybersecurity teams report directly to a designated and experienced cybersecurity executive, they report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”
Organizational culture gap in cyber security
Another important findings of the study is that most companies do not have a culture that supports cybersecurity.
According to a 2018’s ISACA’s Cybersecurity Culture survey of about 5000 senior technology and security leaders, almost 95% of organizations believe there is a significant gap between their current and desired cybersecurity culture.
For example, obtaining cybersecurity certifications for cyber professionals is less of an immediate priority. Also the desirable cybersecurity culture is often prevented by a lack of employee buy-in and disparate business units, the report points out.
Cyber security crime goes unreported
Another pertinent problem pointed out by the new ISACA study, which again points to the earlier studies of cyber security culture gap is that a majority of cybercrime goes unreported. Of the 1,500 CIO/CISOs surveyed globally, nearly half of them said they believe most enterprises under-report cybercrime, even when it is required to do so. Also over 50% reported an increase in cyber security attacks on their organization this year, and nearly 80% fear the likelihood of a cyber attack next year, the report found.
“The cyber landscape is complex. Cyber security, though in focus today, suffers from a siloed and static approach,” says Renju Varghese, Fellow & Chief Architect – Cyber Security & GRC, at HCL Technologies Ltd.
Varghese notes, “Many teams are missing the attacks that significantly impact organizations because they don’t have the size or expertise to keep up with the attackers and are overwhelmed. Moreover, their existing security tools and processes are segregated and seldom work in tandem, leaving the teams staring at multiple consoles and drowning in alerts and incidents.”
However, by carefully analyzing the variables that contribute to incident susceptibility and team inefficiency, organizations can better prepare themselves for the dangers presented by cyber miscreants, says ISACA’s Downs.
He concludes that by specifically, analyzing key organizational attributes, such as cyber reporting structure, prevalent attack methods and team readiness through a culture of continuing education, organizations can increase their resilience to potential incidents.