Cyber threats spook tech companies

Recent high-profile data breaches have clearly spooked a lot of companies, many of which expect to face cyber threats in the coming year. And security executives are spending more time advising senior executives and other top business decision makers at their organization on security-related matters.

Those are among the findings of CSO's annual State of the CSO report, which surveyed 366 security professionals online in August and September 2014.

About half of the survey respondents say their organizations have had to reevaluate their information security standards as a result of recent well-publicized attacks.

One company that's made changes is Hargrove Inc., a provider of services for events such as trade shows. "The data breaches at Target and particularly Home Depot elevated the perception of risk to a company's reputation," says Barr Snyderwine, CIO. "Those examples provided a very high level of visibility of the damage to reputation as well as cost."

The company was in the process of changing some data security protocols and the breaches accelerated the project, Snyderwine says. "They also elevated the need for additional security testing and scanning," he says. "We will be adding budget to implement next year."

Also reevaluating its information security approach is public accounting and business advisory firm Joseph Decosimo and Co.

"We are paying a little more attention to monitoring internal activity in our network," says Brian Joyce, director of IT/security. "Previously we have been more focused on what was coming in. Now, [we're] equally focused on what is going out as well, [and] more focused on data loss prevention and our ability to respond to control potential damage."

[ 9 employee insiders who breached security ]

Among the organizations surveyed, cyber threats from outside the organization (including advanced persistent threats and distributed denial of service attacks) were the most commonly cited security-related challenges anticipated for the coming year. Some 37% of the organizations say they expect to face those challenges.

"As a provider of cloud services we are exposed to the threats from the Internet and defense against cyber attacks--including advanced persistent threats and distributed denial of service attacks--tops our priority list," says Erkan Kahraman, chief trust officer at Projectplace International, a provider of Web-based collaboration offerings.

Outside threats are an issue for Hargrove as well, "due to the data we keep and the industry we are in," Snyderwine says. "The challenge is to stay ahead of the threats. The vectors of the threats are a constant issue. The outside threats target our employees constantly so we have to train and communicate new threats."

Also high on the list of expected challenges are balancing IT's priorities--such as innovation and cost cutting--against the organization's risk appetite and ability to protect critical assets or meet regulatory guidelines (cited by 32%). Next was employee awareness and cooperation (30%).

"Balancing innovation and cost cutting has been a constant challenge through the years," Joyce says. "What is becoming more of a burden is the regulatory guidelines and compliance issues. And employee awareness is of necessity an ongoing, never static process, and remains a challenge. Employees are both our best defense and potentially porous perimeter."

It's interesting to note that cyber threats from inside the organization, which has often been mentioned as a major concern for companies, came in toward the bottom of the list of challenges, with only 18% of the respondents mentioning that. Also low on the list are employee retention/hiring enough skilled workers, and managing security and addressing the risks around mobile devices, with only 15% mentioning those as challenges for the coming year.

Security executives are spending more time advising senior executives and other top business decision makers at their organization on security-related matters. When asked about time spent doing this during the past three years, three quarters said it had increased, and 37% said it had risen significantly.

Looking ahead, 80% of the respondents expect the amount of time they spend advising to increase over the coming three years, and 44% expect it to increase significantly.

"Our senior executives were targeted by unsuccessful spear phishing attacks, which brought the attention to email security and awareness," Kahraman says. "During the last year we've spent significant time in both implementing email signatures--digital certificates--and training users. I can only assume we will continue our efforts in this domain."

While he is spending more time briefing senior executives, Snyderwine is spending even more time filtering the information to present to the executive team. "I have to summarize and present the right issues and strategy," he says.

Slightly more than half of the executives surveyed (52%) say their organization's overall security budget will increase over the next 12 months, compared with the past 12 months. Thirty-seven percent say the budget will remain the same and only 5% expect to see a decrease.

Companies in some industries are more likely to see increases than others. For example, in financial services, 67% of the respondents expect an increase while among government and non-profit entities only 45% anticipate higher budgets.

When formulating the security budgeting process, companies are using a variety of methods and calculations. These include total cost of ownership (42%), business value (42%) and return on investment (34%). Surprisingly, about one quarter of the organizations use no formal financial methodology for their security budgeting process.

Not quite as many organizations are looking to boost security staff headcount over the next 12 months, however. About one third (35%) say they're expect to see headcount increase, while 56% say the workforce will remain the same and 5% are anticipating a decrease.

Again, the outlook varies by industry. For example, among healthcare organizations, 73% expect an increase in security staff in the coming 12 months. In the services industry, on the other hand, only 24% are expecting an increase.

For the most part, organizations are pleased with their security technology investments. Two thirds say that in general they are satisfied with the quality and relevance of products offered by security vendors, and 7% are very satisfied. A little more than half are satisfied with the security services offered, and 7% are very satisfied.

"I can say that I'm pleased with the security technology we've invested in; not so impressed with the professional services we purchased," Kahraman says. "Security technology has come a long way, and today's vulnerability scanners, Web proxies and application firewalls are all useful arsenal one can rely upon."

The study shows the growing value of risk management. About half of the executives surveyed say their organization's senior management placed more value on risk management over the past 12 months, while 35% said there was no change and 13% said the organization placed less value on risk management.

As for the next 12 months, 70% of executives expect senior management to place more value on risk management, with only 5% saying they will place less value.

Many of the organizations surveyed use a formal Enterprise Risk Management (ERM) process or methodology that incorporates multiple types of risk, not just information security and physical security risk. Some 56% say they are doing this. And the percentages are considerably higher for organizations with more than 1,000 employees (65%) and for industries such as financial services (70%) and healthcare (69%).

As for which ERM frameworks they're deploying, a majority of organizations (62%) are using internally developed models. The formal ERM process covers a variety of disciplines, departments and groups within companies. These include information security (87%), business continuity/disaster recovery (82%), executive management (77%), financial risk/insurance (72%), physical/corporate security (67%), general counsel/legal (62%) and human resources (56%).

A variety of officers are primarily responsible for driving risk management strategies, including chief risk officers, CSOs, CFOs, COOs, CEOs and CIOs.

To keep up with the latest security-related developments, survey respondents rely on a variety of sources. These include security/technology content sites (65%), analyst firms (64%), peers outside their companies (61%), white papers (61%), executive conferences or other events (57%) and industry associations (52%).

Given the rapidly changing developments in the security landscape and the importance of strong protection against attack, security executives will no doubt continue to tap into these and other resources for guidance.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritydata breachCSOHome Depotsocial engineering

More about CSOHome DepotInc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts