Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Websense report: cyber-security professionals and C-suite must improve communication

Websense report: cyber-security professionals and C-suite must improve communication 

The study, entitled “Roadblocks, Refresh, & Raising the Human Security IQ,” reveal a communication gap between IT security professionals and C-suite members. This communication gap can leave companies vulnerable to data breaches. Jeff Debrosse, director of security research, Websense, discussed the report’s significant findings and what businesses can do to remedy the issues that the report reveals.

The survey included responses from almost 250 Canadian IT security professionals. It revealed that IT security staff does not have strong, clear pathways of communication with upper management. One of the most alarming statistics from the report is that nearly a quarter of cyber-security teams do not talk to the executive staff about security. Debrosse offered an explanation for this high number. “In many organizations Internet/network security has been relegated to being a sub-section of IT,” he said. “In cases where it is a smaller portion of a cost-centre (not a revenue centre), security typically gets the focus ‘post incident.’ At that point, it’s a discussion about incident response, forensics and, in many cases, a PR damage-control campaign.”

Responding reactively to security incidents such as data breaches is not productive, Debrosse asserted. “That’s far too late to have the increasingly-important security conversation,” he commented. Websense’s director of security research believes that the enterprise needs to place a higher priority on cyber-security. “When more organizations realize that security needs to be at the executive round-table and a part of the regular discussion about business growth and continuity, we should see this number drop,” Debrosse remarked.

Another disturbing survey finding is that less than a third of respondents felt confident about their employers’ investments in skilled personnel and technologies to effectively fulfill the company’s cyber-security objectives. Debrosse noted that businesses see cyber-security as a cost centre rather than a revenue centre. “Companies typically do their best to control overhead – especially in relation to revenue,” he remarked. “One way of doing that is to calculate what the ROI will be. Many organizations have a difficult time quantifying risk and equating the probability of the realization of a threat to lost revenue. This is an exercise that small and large companies should go through to better understand what it will cost them to adequately protect themselves from their most-likely threats versus the cost of their most-likely threats being successfully carried out by attackers.”

While skilled personnel and technologies play an important role in a successful cyber-security strategy, education should be a tool in the arsenal. To the chagrin of many Canadian cyber-security professionals, it is being neglected. Respondents said that 47% of Canadian companies do not provide cyber-security education to their employees. Debrosse opined that more businesses do not provide this education to their workforce because of the difficulty in quantifying its effectiveness.

“Years ago, I studied this specific situation/question specifically with a researcher from Carnegie Mellon University,” he commented. “What his team’s research revealed is that there is a point at which the awareness from cybersecurity education begins to rapidly decline, thus requiring re-education.” Debrosse believes that companies need to provide refresher courses frequently to keep digital assets safe. “Organizations that aren’t aware of this necessity will typically re-educate employees (on cybersecurity) on an annual basis – which is far too great of a lapse of time,” he warned.

The survey did provide some positive news. Cyber-security professionals who had modelled cyber threats believe this process is very useful to manage risk. Debrosse explained why this process is so useful. “Cybercrime is a business, and like legitimate businesses, cybercrime operations also have processes and tools used to achieve their underground business objectives,” he remarked. “In any business you’ll find a workflow that helps the organization ‘proceduralize’ their daily operations to maximize efficiency. Threat modeling is designed to take the attacker’s workflow and break it down into its constituent parts, referred to as stages. This allows organizations to understand at what stage in the workflow the attacker may be at a given point in time. This is important because most attacks are automated and occur in a linear fashion. Knowing the stages that an attacker has to follow for a particular type of attack is a very effective means of getting ahead of the attackers and proactively stopping or reducing the severity of an attack,” Debrosse concluded.

{module Gone in 60 seconds}

Related posts