Tag Archives: Governance

Ponemon Says Executives are not Sufficiently Engaged in Cybersecurity Strategy

Note: If you are one of clients, this probably doesn’t apply to you because you have heard us beating this drum forever.  It iPonemon Says Executives are not Sufficiently Engaged in Cybersecurity Strategys always nice to get validation for what we have been saying for years, though.

Larry Ponemon says “There’s a clear lack of accountability, especially on the board and among C-suite executives, and a lack of confidence in determining the efficacy of security technologies“.

Ponemon surveyed IT and IT security practitioners who are knowledgeable about their organizations’ IT security strategy, tactics and tech investments and here is what they found:

  • 56% – more than half – say that their IT infrastructure has gaps in coverage that allow attackers to penetrate its defense
  • 63% – almost two-thirds – say IT security leadership needs better monitoring tools that will improve their ability to communicate with the C-Suite and the Board
  • 69% – more than two-thirds – say that their organization is REACTIVE and INCIDENT DRIVEN

So we are not quite where we need to be and management doesn’t understand where we are and where the gaps are.

When it comes to Board of Directors and senior leadership engagement, the survey says:

  • 63 percent say their IT security leadership does not report to the Board on a regular basis and 40% say they do not report to the Board AT ALL.  By the way, “report to the board” does not mean that someone writes a memo that gets handed out and there is no discussion with people who understand what is in the memo.
  • 14 percent say that their IT security leaders report to the Board after every breach.
  • Only 28 percent say that the Board and CEO are actively involved in determining what is an acceptable level of risk for the organization to accept.  Note that this is not something that IT can decide – it is above their pay grade.
  • Only 21 percent say that their Board or CEO requires cybersecurity due diligence in the merger and acquisition process.  You can ask Marriott how well that worked for them after they are done writing that $124 million check to the EU for botching that during the Starwood acquisition.

When it comes to security metrics here is what they said:

  • Only 24 percent – less than one quarter – said that they have a mature measurement and metrics program.  30 percent say that they have a partial metrics program.
  • 40 percent says that they don’t measure their company’s security posture at all.
  • Of the 24 or 30 percent that have some form of measurement and metrics program – of them, only 39 percent report that information to the Board.  That means that about 10-15 percent overall report metrics to their Board.

The bottom line here is that we need a lot more Board engagement –  if the Board makes it a priority (which means allocating staff and budget) – then security will likely improve in those organizations.  The bad news is that the hackers understand the state of things and are using it to their advantage.

Source: The Ponemon Institute via Helpnet Security

Great Questions For Your Board to be Asking

If you don’t have a board, then the CEO would be a great person to ask these questions.  The key thing is that the CIO and CISO need to be able to answer them.  The questions came from (Dell) Secureworks.

If you are the CIO or CISO, you should ask and answer these questions before your CEO reads this post.

1. Do we have the visibility to detect the threats most relevant to us, whether that be everyday malware, nation states, cyber criminals, insiders or hacktivists?

So many times were hear about attackers that have been inside a company’s systems for months or even years.  We have to get that number down to days or even hours.

2. What do you assess our main cyber risks to be, how well protected against them are we and how are they changing? What gaps exist in current strategies and budgets?

The only way to deal with these threats is to put them out on the table.  Once we know what we are dealing with we can begin to handle it.  The CEO and Board need to be on the hook for this – if they don’t make this a priority and fund and staff it then the breach is on their hands.

3. Are we prepared with a plan to deal with a breach? Do we know when this gets triggered and where responsibilities lie? Has it been tested?

The company’s incident response program prevents an incident from becoming a crisis.  No program, no training, no team – that makes it very unlikely to avoid a crisis.

4. Do you feel security training is tailored and delivered to ensure that each workforce segment is aware of threat actors and their CURRENT tactics?

We still hear companies say that they get people into a dark room once a year and watch them fall asleep over Powerpoints.  Training has to be interactive, ongoing and engaging.  Do something every month.  Phish your employees every week.  The old methodology doesn’t work any more.

Wherever you fit in the corporate or IT food chain, these are great questions be considering.  While this is not a silver bullet, it will start some very useful conversations.

Information for this post came from Secureworks.