The role of the modern information security executive is, in many ways, an unenviable position. The continuous pressure to protect increasingly sensitive data and systems that are decreasingly under direct control from a rapidly advancing threat landscape is enough to keep any CIO/CISO up at night. The challenges and intensities of this role make the input and perspective of those executives that fill it of particular interest and relevance as a factor of the evolving security landscape. Recognizing the weight of this audience’s perspective, we recently conducted a survey of more than 200 C-level security executives from the U.S. and United Kingdom to probe on recent and forthcoming trends and their likely impacts. The findings reveal some consistencies and some variance across geographies and when compared to the inputs of security practitioners deeper within their organizations.
The results of this survey have recently been published in the report “2016 Executive Application and Network Security.” Here are some of the key findings from the study, all of which you can read more about in the full report.
On the Executive Agenda
Not surprisingly, the seemingly endless stream of news about high profile attacks and breaches, combined with the heavy penalties (financial or otherwise) that follow, the topic of cyber-security is not a standard element of board meeting agendas. In fact, 82% of respondents to our survey confirm that the highest levels of executives are now fully abreast of security risks and mitigation strategies. There was very little variance on this topic across industries, which highlights that the idea that only certain verticals (finance, retail) are highly sensitive is no longer true.
We do start to see some differing views when we dig deeper into the impacts of cyber-attacks, particularly by geography. Our U.K. based respondents showed a much higher sensitivity to the potential of lost contracts (20% vs. 10% in the U.S.) whereas the U.S. respondents put more emphasis on brand reputational damage and productivity loss than their U.K. counterparts.
Increased Risks Means Increased Investment
The role of security vendor faces some of the similar challenges as the security executive, though the former is also the beneficiary of increased spending by the latter. Two-thirds of respondents reported increases in cyber-security spending since last year, ranging from 10%-59%. One of the more surprising (maybe alarming) aspects of the survey was the lack of good awareness on spending amounts at the executive level. Over 50% of those surveyed acknowledged that they did not know exactly how much money and time their company was spending on security. If the spending increases remain an ongoing trend, this is sure to change over time.
Responding to Ransom Attacks
If you’ve paid any attention to the cyber-security threat landscape recently, you’re no doubt aware of the rash of ransom motivated attacks against a variety of targets. We could see the early signs of this in our 2015-2016 Global Application & Network Security Report, which showed a growth in ransom as motivation for attackers—which nearly doubled from 16% in 2014 to 25% in 2015. In one of the more interesting dynamics in the research, we found many executives “talk tough” when it comes to dealing with ransom attacks, but behave quite differently when faced with one. Specifically, 84% of respondents who had not been targeted by a ransom attack said they would not pay the ransom. Yet, when we asked those that had been targeted how they actually responded, the number of those that paid jumped to 43%, and was especially high in the U.K. where 64% report paying the ransom.
Among the other topics and trends explored in this research are how executives are dealing with the emerging risks posed by the Internet of Things (IoT), the impact of trading partners on security and vulnerability, and the idea of tapping into white/gray hat hackers as a means of improving security operations. Each area yielded recognition that the changes going on within and around companies are forcing new approaches and strategies for defense.
Finally, the report also provides some perspectives on best practices in response to specific inputs garnered through the survey. Some of these include increasing visibility into outbound network traffic, improving security spending awareness, tips on dealing with ransom attacks, and also stressing the importance of leveraging automation in security operations.
For those sitting in the increasingly heated seat of the security executive, or for those just wanting to get better insights into their thinking, the “2016 Executive Application and Network Security” report provides a good starting point.