The bulk of companies' top security officials believe that cybersecurity breaches are inevitable, according to a report by Kaspersky Lab that also highlighted the changing roles of CISOs and their uneasy relationships with other C-level executives.
The report, "What It Takes to Be a CISO: Success and Leadership in Corporate IT Security," paints a picture of chief information security officers under increasing pressure to protect their companies against attacks that are extremely difficult to prevent while often lacking the financial resources they say they need and vying with other departments for budgets.
In addition, while many feel they are adequately involved in the business-decision process, their roles in defending against cybersecurity attacks may not be a high enough priority, according to Kaspersky researchers.
However, while there may be ongoing tension in the CISO's relationship with other top executives regarding budgets and the reality of today's modern security environment, things seem to be improving, even if only gradually.
"Although a number of studies have been released quantifying the impact of a breach, the ROI of IT security expenditure can still be hard to argue, as most calculations include probabilities and assumptions on the damage caused by breaches, including direct financial losses and the costs associated with reputational losses," Andrey Pozhogin, cybersecurity expert at Kaspersky, told Security Now in an email. "Therefore, there continues to be some disconnect between top-level management and CISOs in regards to security expectations."
However, Pozhogin said, overall the relationship between executives and CISOs has strengthened in recent years. He noted as an example that "the portion of IT budgets spent on security has increased in North America over the past year, for both enterprises and SMBs. This is evidence that cybersecurity is becoming more of a boardroom issue and a priority for companies of all sizes."
The survey, conducted by PAC for Kaspersky, questioned 250 IT decision makers in the manufacturing and service sectors earlier this year. Among the key findings is that 84% of CISOs in North America said that cyberbreaches are inevitable, listing ransomware, phishing, general malware and Trojans as among the most difficult types of attacks to respond to. Forty percent said financially motivated criminal gangs were the largest IT security risk, followed by malicious insider attacks (29%), and that such attacks were very difficult to prevent.
The ongoing digital transformation within most companies only heightens the risk of cybersecurity threats. The cloud and the uncontrolled cloud expansion by lines-of-business was cited by survey respondents as the top security risk, followed by social networks and mobility, all key factors in increasingly digital businesses. They also listed complex infrastructures involving the cloud and mobility, managing personal data and sensitive information, and the increase in cyber attacks as the top challenges CISOs face.
Kaspersky researchers note that the trend toward digital transformation should mean that cybersecurity becomes a top priority, which should lead to the CISO evolving to becoming more influential in important business decisions. Pozhogin added that 58% of CISOs said they are adequately involved in decision-making, an indication that their influence is growing.
"However, in addition to just involvement, it is important that security leaders are a part of the organizational hierarchy," he said. "Having a CISO at the executive level is still only typical in enterprises that are highly digital, highly sensitive or very large, and in North America, just 40 percent of cybersecurity managers are part of the C-suite. While the trend is headed in the right direction, there is still plenty of room to grow."
Other cybersecurity vendors have echoed the sentiment.
Trend Micro researchers in September noted that despite the rapid growth worldwide in the number of intelligent connected devices, only 38% of Internet of Things projects include input from CISOs and other IT security professionals. (See Why CISOs Need a Seat at the IoT Projects Table.)
There also is a disconnect between CISOs and executives regarding budgets. Budgets are growing -- 60% of CISOs in North America expect to see increases -- but getting the money they believe they need is difficult. There is no clear ROI that can be presented to executive teams for security spending and security professionals can't guarantee 100% protection from cyber threats. Thirty-six percent of CISOs surveyed said not being able to promise there won't be a breach has led to them not being able to get the security budgets they believe they need.
This is despite the growing understanding of the damage a breach can do to a company, both financially and to their reputations. Gemalto researchers found that the number of records breached in the first half of 2018 jumped 133% compared to the first six months last year, to 4.5 billion records. In addition, reports by CompariTech and Kaspersky found that data breaches can impact companies' long-term stock prospects and even cost C-level executives their jobs. (See Gemalto: 4.5B Records Breached in First Half of 2018.)
"The misalignment between CISOs and other executives most often happens because of a failure to clearly communicate the risk of an attack and its potential impact on the company's bottom line," Pozhogin said. "CISOs being experts in information technology and security tend to better understand the threat landscape and potential implications of each specific threat targeting their network. Other executives do not always have the same depth of understanding and the same level of operational insight, and thus they may downplay the risks, hoping that a minimal investment will suffice to establish a strong enough layer of defense."
Executives also tend to rely on "hope for the better," falling victim to the misconception that some industries are less likely to draw the same level of attention from attackers as others because there's nothing to steal and that companies that fall victim to a breach are targeted for reasons that aren't relevant to their own organization, he said.