2. 2CONFIDENCE: SECURED 2CONFIDENCE: SECURED
Organisations have made significant cybersecurity investments to improve their network defenses, yet many cyberattacks still remain
undetected for months, and large-scale public breaches continue to dominate the news cycle. It’s well understood in the security indus-
try that for every breach made public there are many more that go unreported because they either haven’t yet been detected or don’t
affect consumer data or critical infrastructure, and as such, do not require disclosure.
Leading companies tend to treat cyber risks in the same way they do other critical risks — primarily in terms of a risk/reward trade-off.
However, the sophistication of security attacks facing corporations today outstrips basic defenses, and as the complexity of these attacks
increases, so does the risk they pose to corporations. In addition, deploying cost-effective business technologies may affect resource
investment calculations for security, and these competing business pressures mean that conscientious and comprehensive oversight of
cybersecurity risk at the board level is essential. It can be difficult, however, for technical executives to accurately convey the changing
shape of cybersecurity risks to non-technical executives.
In May 2015, Tripwire sponsored a study of 101 C-level executives and directors as well as 176 IT professionals from U.K. organisa-
tions with annual revenues over £500 million to better understand the challenges facing organisations that are trying to better manage
cybersecurity risks. The study evaluated the attitudes as they relate to cybersecurity risk decision-making and communication between
IT security professionals, executive teams and boards.
United Kingdom Executive Cybersecurity Literacy Survey
PREV
PAGE
NEXT
PAGE
PREV
PAGE
NEXT
PAGE
4. 4CONFIDENCE: SECURED
Key Findings
“It’s surprising that so many executives give their boards a passing grade
on cybersecurity, and may reflect wishful thinking on their part,” said
Dwayne Melançon, chief technology officer for Tripwire. “However, boards
are likely to evaluate cybersecurity risks from the perspective of
defensible legal standards, and while this may be a useful exercise, it
doesn’t help determine acceptable levels of cybersecurity risk that can be
used to guide day-to-day decision making.”
“There’s a big difference between cybersecurity awareness and
cybersecurity literacy,” said Melançon. “If the vast majority of executives
and boards were really literate about cybersecurity risks, then spear
phishing wouldn’t work. I think these results are indicative of the growing
awareness that the risks connected with cybersecurity are business-critical,
but it would appear the executives either don’t understand how much they
have to learn about cybersecurity, or they don’t want to admit that they
don’t fully understand the business impact of these risks.”
PREV
PAGE
NEXT
PAGE
5. 5CONFIDENCE: SECURED
Key Findings
“I’m surprised that the percentage of IT security professionals who are ‘not concerned’ is so high,” said Tim Erlin,
director of IT risk and security strategy for Tripwire. “The results indicate that IT Professionals believe their boards
are literate and are also getting the information they need. It also appears that many IT professionals aren’t
getting feedback from the board on shared information. The communication appears to be largely one-way.”
PREV
PAGE
NEXT
PAGE
6. 6CONFIDENCE: SECURED
Key Findings
“These responses indicate that cybersecurity isn’t a tool problem, as IT
Professionals and executives overwhelmingly believe they have the tools
necessary,” said Erlin. “Since respondents believe they have tools and data
in place, but breaches continue to grow, this really does appear to be a
literacy problem.”
“Most organisations are not struggling with tools,” said Melançon. “They
are instead struggling with finding the right vocabulary and information to
accurately portray cybersecurity risk to their boards, and they are trying to
find the right balance of responsibility and oversight for this critical
business risk.”
PREV
PAGE
NEXT
PAGE
7. 7CONFIDENCE: SECURED
“When it comes to breach data, it’s clear that customer data has the
spotlight,” said Erlin. “Executives are overwhelmingly aware of the risk
that exposing customer data poses, in part because it’s quantifiable, and
in part because it’s newsworthy. A breach with customer data invokes
data breach notification laws and potential fines in some environments. It
also makes headlines and drives lawsuits. While losing trade secrets is a
risk, it’s harder to model the outcomes.”
Key Findings
PREV
PAGE
NEXT
PAGE
8. 8CONFIDENCE: SECURED
“Outside of a breach to their own organisation, respondents were largely
influenced at the same level by high-profile incidents and vulnerabilities,”
said Erlin. “The commonality is the media profile of an event rather than
any intrinsic qualities of the event itself. Ultimately, all risk is personal,
and there’s nothing like a personal breach to bring home the impact of
cybersecurity.”
“Executives and IT security teams have dramatically improved their ability
to communicate cybersecurity risk to boards, but the key is to make
cybersecurity actionable before a breach,” said Melançon. “Confidence in
communication with the board is a great first step, but effective
communication that moves cybersecurity up the list of business priorities
is the objective.”
Conclusion
PREV
PAGE
NEXT
PAGE