Despite the massive breaches of security incurred by corporations such as Target, Home Depot, Sony Pictures, and JPMorgan in the past year, two recent surveys show that many companies are still unprepared or disinterested in cyber security.
The Christian Science Monitor reports that Raytheon, a defense contractor, and the International Data Corporation (IDC), a market research firm, commissioned surveys on the state of information security in American business. The surveys polled leading information and cyber security professionals across the country, including chief information officers (CIOs), chief information security officers (CISOs), and other executives and professionals. The results reveal a general lack of consideration and seriousness that many chief executive officers (CEOs), board members, and other non-tech executives share regarding cyber security for their digital information.
The hacking and losses of data many high (and low) profile companies experienced last year led many in the business world to call for more focus on cyber and information security. However, the surveys expose a major difference between general, well-meaning sentiments many executives purport and their actual praxis.
Of the 1,006 experts surveyed by Raytheon, 78% of respondents claimed that their boards have not been briefed at all on their company’s cyber security measures during the past year. Moreover, only 25% claimed that their executive officers considered information security to be a top priority while the remaining three-quarters stated that their bosses viewed such security to be merely a “necessary cost.”
The IDC survey, which has yet to be published, indicates similar results, with a few key differences. Only 15% of the 269 cyber security professionals surveyed claim that their CISOs directly communicate with their CEOs (Raytheon’s survey has that figure at 14%). In addition, the IDC found that the majority of the CEOs who confer with their CISO run small businesses as opposed to larger ones, which may be disconcerting for investors in larger, multimillion (and even multibillion) dollar companies.
However, the survey isn’t all bad news. A majority of respondents claimed that their companies have put more emphasis on security, which in turn has improved their companies’ overall security protocols. Forty-two percent of CISO respondents report to their board of directors every quarter, and more than 60% of CISOs claim they have interacted with the board members more over the past few months.
“Given the sophistication of current cyber-attacks, companies can no longer have an outside-in approach with emphasis only on perimeter security,” says Bob Goodrich, VP Marketing, JSCAPE. “Companies need to have an inside-out approach and ensure they are deploying applications that are security centric, such as managed file transfer systems.”
Jack Harrington, vice president of cybersecurity and special missions at Raytheon, views the surveys’ results as an indication that for the most part, the upper management in many companies still do not view hacking or breaches as a serious threat, though he does admit that companies in general are headed in the right direction.
Pete Lindstrom, an analyst at IDC, shares Harrington’s opinion that companies aren’t taking as many precautions as they should. He is willing, however, to give the benefit of the doubt to these companies, especially those that have a higher level of interaction between their security team and their executives.
“Some of this is really framing how you want to say it,” Lindstrom said. “You could look at it as a glass half-full, glass half-empty kind of thing.”
“It is the business oriented risk-reward folks who succeed” and not the paranoid ones, he added.