The Ponemon Institute released the second part of their "Exposing the Cybersecurity Cracks: Australia" report earlier this week. Sponsored by Websense, the report focussed on three key areas: Roadblocks, Refresh and Raising the Human Security IQ.
The report surveyed IT security practitioners with an average of 10 years’ experience in the field from Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Italy, Mexico, the Netherlands, Singapore, Sweden, United Kingdom and the United States.
The regional summary for Australia can be downloaded here.
In the past, security was left almost entirely to the IT manager. But recent events such as the Target, LinkedIn and eBay breaches, Heartbleed and the CCS Injection Vulnerability, and the prominence of internal threat like Edward Snowden have raised security awareness right through the entire enterprise. In particular, the firing of the CIO and CEO by Target has made executives very aware that they can no longer ignore cybersecurity.
That leads to the first challenge identified in the report: communications between all of the affected parties are hindered.
In many organisations, there is a disconnect between IT and the board. There are at least three layers in most companies: operational staff, management and executives, and the Board of Directors. The language and requirements of each group are different and often none of the layers know what information each needs when it comes to cybersecurity, how to present information and what answers to expect when asking questions.
Gerry Tucker, Websense's Regional Director for ANZ, told us that security professionals are struggling to communicate up the corporate chain of command. At the same time directors are becoming increasingly competent when using technology but struggle to make a connection between how they use their devices and the security challenges their companies face.
According to the Ponemon Institute's report, a third of cybersecurity teams in Australia never talk to the executive suite about security. Of the remainder, just over one in five spoke to the executive twice a year and another 21% spoke about security with the executive semi-annually.
In other words, the communication of risks between different organisational layers is limited.
The two most widely reported security incidents of recent months, the Target breach and Heartbleed, highlight the so-called "Refresh" issue identified by the Ponemon Institute. In order to address modern security threats, there may be a need to re-architect existing systems.
For many businesses this is seen as prohibitively complex and expensive. As a result, point solutions are deployed that only fix specific vulnerabilities rather than addressing architectural faults.
For example, the OpenSSL library that is used extensively has been shown to have two major security flaws recently. Given this recent history, it may make sense and look to other solutions such as alternative tools for validating SSL traffic. But re-architecting systems, which might be a better long-term solution, is overlooked when a more immediate and lower cost patch is readily available.
Similarly, with the Target breach, one of the reasons the hackers were able to access so much data was that there was insufficient segregation of data and systems. As a result, hackers were able to make their way from the log-in of an external contractor to point of sale systems. So, changing the architecture may be a way of removing a security risk.
So, what would it take for an executive team to allocate more funding to cybersecurity initiatives? The exfiltration of intellectual property would get the attention of 65%. A data breach involving customer data would move 58% and regulatory action to investigate your company’s data protection practises would motivate 46% of respondents.
Raising the Human Security IQ
Increasing the understanding and awareness of security issues and challenges remains a significant challenge.
During the discussion with Tucker and Nigel Phair, a former police officer and current Director of the Centre for Internet Security and the university of Canberra, it became apparent that a substantial part of the problem rests with not having the right language to communicate between different organisational layers.
Looking back, when ERP systems were being widely deployed, IT and business users created the role of the Business Analyst - someone who bridged the gap between the technical world and business operations. It became clear in the discussion that such a role would be valuable for security and compliance teams.
There's also a need for operations, management and board members to develop a better communications model where each group collects and delivers the right information in a form that is useful for each different group.
Anthony Caruana attended the launch of this report as a guest of Websense.
This article is brought to you by Enex TestLab, content directors for CSO Australia