Note: If you are one of clients, this probably doesn’t apply to you because you have heard us beating this drum forever. It is always nice to get validation for what we have been saying for years, though.
Larry Ponemon says “There’s a clear lack of accountability, especially on the board and among C-suite executives, and a lack of confidence in determining the efficacy of security technologies“.
Ponemon surveyed IT and IT security practitioners who are knowledgeable about their organizations’ IT security strategy, tactics and tech investments and here is what they found:
- 56% – more than half – say that their IT infrastructure has gaps in coverage that allow attackers to penetrate its defense
- 63% – almost two-thirds – say IT security leadership needs better monitoring tools that will improve their ability to communicate with the C-Suite and the Board
- 69% – more than two-thirds – say that their organization is REACTIVE and INCIDENT DRIVEN
So we are not quite where we need to be and management doesn’t understand where we are and where the gaps are.
When it comes to Board of Directors and senior leadership engagement, the survey says:
- 63 percent say their IT security leadership does not report to the Board on a regular basis and 40% say they do not report to the Board AT ALL. By the way, “report to the board” does not mean that someone writes a memo that gets handed out and there is no discussion with people who understand what is in the memo.
- 14 percent say that their IT security leaders report to the Board after every breach.
- Only 28 percent say that the Board and CEO are actively involved in determining what is an acceptable level of risk for the organization to accept. Note that this is not something that IT can decide – it is above their pay grade.
- Only 21 percent say that their Board or CEO requires cybersecurity due diligence in the merger and acquisition process. You can ask Marriott how well that worked for them after they are done writing that $124 million check to the EU for botching that during the Starwood acquisition.
When it comes to security metrics here is what they said:
- Only 24 percent – less than one quarter – said that they have a mature measurement and metrics program. 30 percent say that they have a partial metrics program.
- 40 percent says that they don’t measure their company’s security posture at all.
- Of the 24 or 30 percent that have some form of measurement and metrics program – of them, only 39 percent report that information to the Board. That means that about 10-15 percent overall report metrics to their Board.
The bottom line here is that we need a lot more Board engagement – if the Board makes it a priority (which means allocating staff and budget) – then security will likely improve in those organizations. The bad news is that the hackers understand the state of things and are using it to their advantage.