New survey provides insights into senior-level thinking on cybersecurity priorities and the perceived degree of alignment between threats and solutions
Cybercrime poses perhaps the greatest threat to every company in the world. According to the Official 2017 Annual Cybercrime Report, announced by Cybersecurity Ventures, it will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
As a result, Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively to 2021. Taken as a whole, they anticipate 12-15 per cent year-over-year cybersecurity market growth through 2021.
As business models have become increasingly digital, high-profile, reputation-damaging security breaches are grabbing more news media headlines. Many companies have ramped up their investments in cybersecurity, yet that spending is often not well aligned with actual threats.
Studies have shown that server focused solutions such as network anti-virus, malware detection and website firewalls attract the biggest investments, ignoring the fact that misuse of privileged credentials is by far the most common cause of breaches. The reasons for this disconnect are not well understood, in part because it sits at the intersection of the people and technology domains.
A recent study CEO Disconnect is Weakening Cybersecurity of over 800 executives by Centrify and Dow Jones Customer Intelligence reveals the disconnect between CEOs and CIOs, CTOs, and CISOs (Technical Officers) that is weakening cybersecurity. Designed to seek insights into senior-level thinking on this issue, including current cybersecurity priorities and the perceived degree of alignment between threats and solutions one of the key findings of the survey was that the majority of CEOs are investing in cybersecurity strategies that are out of kilter with their Technical Officers.
The primary threat
The report highlights that CEOs are incorrectly focused on malware – 62 per cent of CEOs inaccurately cite malware as the primary threat to cybersecurity, compared with only 35 per cent of Technical Officers, this misalignment within the C-suite, results in undue risk exposure and prevents organisations from effectively stopping breaches.
Technical Officers on the front lines of cybersecurity know that identity is the primary attack vector. CIOs, CTOs and CISOs point to identity breaches – including privileged user identity attacks and default, stolen or weak passwords – as the biggest threat. As a result, cybersecurity strategies, project priorities and budget allocations don’t always match up with the primary threats nor prepare companies to stop most breaches.
“While the vast majority of CEOs view themselves as the primary owners of their cybersecurity strategies, this report makes a strong argument that companies need to listen more closely to their Technical Officers,” said Tom Kemp, CEO of Centrify. “It’s clear that the status quo isn’t working. Business leaders need to rethink security with a Zero Trust Security approach that verifies every user, validates their devices and limits access and privilege.”
68 per cent of executives whose companies experienced significant breaches indicate it would most likely have been prevented by either privileged user identity and access management or user identity assurance.
Just eight per cent of executives stated that anti-malware endpoint security would have prevented the ‘significant breaches with serious consequences’ that they experienced.
Investing in the wrong solutions The study revealed that CEOs are investing in the wrong areas of cybersecurity. 60 per cent of CEOs invest the most in malware prevention and 93 per cent indicate they already feel ‘well prepared’ for malware risk.
Just under half (49 per cent) of CEOs say their companies will substantially reduce malware threats over the next two years, yet only 28 per cent of CTOs agree with this statement.
These investment decisions are frequently caused by misplaced confidence in the ability to protect against breaches, putting organisations at significant risk. While Technical Officers are more aware of the real risks, they are also frustrated by inadequate security budgets.
The study also exposed tension among executives. 81 per cent of CEOs say they are most accountable for their organisations’ cybersecurity strategies, while 78 per cent of Technical Officers make the same ownership claim.
Only 55 per cent of CEOs say their organisation has experienced a breach, whereas 79 per cent of CTOs acknowledge they’ve been breached. This indicates that 24 per cent of CEOs are not aware that they have experienced a breach.
“The traditional security model of using well-defined perimeters between ‘trusted’ corporate insiders and ‘untrusted outsiders’ to protect assets has evolved with the advent of cloud, mobile and IoT. Yet most enterprises continue to prioritise spending on traditional security tools and approaches,” said Garrett Bekker, Principal Security Analyst at 451 Research. “Centrify’s research reveals that a primary reason for conflicting cybersecurity strategies and spending is that C-level executives and technical managers don’t always see eye-to-eye regarding security priorities, and a misaligned C-Suite can put the organisation at risk. Modern organisations need to rethink their approach and adopt a framework that relies on verifying identity rather than location as the primary means of controlling access to applications, endpoints and infrastructure.”