Exposing the Cybersecurity Cracks - Hurdles to Getting Security Right

The Ponemon Institute released the second part of their "Exposing the Cybersecurity Cracks: Australia" report earlier this week. Sponsored by Websense, the report focussed on three key areas: Roadblocks, Refresh and Raising the Human Security IQ.

The report surveyed IT security practitioners with an average of 10 years’ experience in the field from Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Italy, Mexico, the Netherlands, Singapore, Sweden, United Kingdom and the United States.

The regional summary for Australia can be downloaded here.

In the past, security was left almost entirely to the IT manager. But recent events such as the Target, LinkedIn and eBay breaches, Heartbleed and the CCS Injection Vulnerability, and the prominence of internal threat like Edward Snowden have raised security awareness right through the entire enterprise. In particular, the firing of the CIO and CEO by Target has made executives very aware that they can no longer ignore cybersecurity.

That leads to the first challenge identified in the report: communications between all of the affected parties are hindered.

In many organisations, there is a disconnect between IT and the board. There are at least three layers in most companies: operational staff, management and executives, and the Board of Directors. The language and requirements of each group are different and often none of the layers know what information each needs when it comes to cybersecurity, how to present information and what answers to expect when asking questions.

Gerry Tucker, Websense's Regional Director for ANZ, told us that security professionals are struggling to communicate up the corporate chain of command. At the same time directors are becoming increasingly competent when using technology but struggle to make a connection between how they use their devices and the security challenges their companies face.

According to the Ponemon Institute's report, a third of cybersecurity teams in Australia never talk to the executive suite about security. Of the remainder, just over one in five spoke to the executive twice a year and another 21% spoke about security with the executive semi-annually.

In other words, the communication of risks between different organisational layers is limited.

The two most widely reported security incidents of recent months, the Target breach and Heartbleed, highlight the so-called "Refresh" issue identified by the Ponemon Institute. In order to address modern security threats, there may be a need to re-architect existing systems.

For many businesses this is seen as prohibitively complex and expensive. As a result, point solutions are deployed that only fix specific vulnerabilities rather than addressing architectural faults.
For example, the OpenSSL library that is used extensively has been shown to have two major security flaws recently. Given this recent history, it may make sense and look to other solutions such as alternative tools for validating SSL traffic. But re-architecting systems, which might be a better long-term solution, is overlooked when a more immediate and lower cost patch is readily available.

Similarly, with the Target breach, one of the reasons the hackers were able to access so much data was that there was insufficient segregation of data and systems. As a result, hackers were able to make their way from the log-in of an external contractor to point of sale systems. So, changing the architecture may be a way of removing a security risk.

So, what would it take for an executive team to allocate more funding to cybersecurity initiatives? The exfiltration of intellectual property would get the attention of 65%. A data breach involving customer data would move 58% and regulatory action to investigate your company’s data protection practises would motivate 46% of respondents.

Raising the Human Security IQ
Increasing the understanding and awareness of security issues and challenges remains a significant challenge.

During the discussion with Tucker and Nigel Phair, a former police officer and current Director of the Centre for Internet Security and the university of Canberra, it became apparent that a substantial part of the problem rests with not having the right language to communicate between different organisational layers.

Looking back, when ERP systems were being widely deployed, IT and business users created the role of the Business Analyst - someone who bridged the gap between the technical world and business operations. It became clear in the discussion that such a role would be valuable for security and compliance teams.

There's also a need for operations, management and board members to develop a better communications model where each group collects and delivers the right information in a form that is useful for each different group.

Anthony Caruana attended the launch of this report as a guest of Websense.

This article is brought to you by Enex TestLab, content directors for CSO Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags breachsecurityEdward SnowdenHeartbleedsecurity awarenessPonemon InstitutewebsenseExposing the Cybersecurity CracksTarget

More about ANZ Banking GroupCCSCSOeBayEnex TestLabWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts