A recent survey of over 1,250 IT and security professionals from Australia, Europe, and Asia-Pacific highlights firms’ states of readiness and priorities for cyber defense. The survey, conducted by GlobalData on behalf of Telstra, an Australian telecommunications, and media company, attempts to learn firms’ views on everything from cybersecurity decision-making authority to security challenges and impacts, and even future trends and areas of intended investment.

Accentuated throughout various sections of the report is the general feeling among respondents that the biggest cybersecurity obstacles organizations are dealing with today is the ability to detect and respond to incidents and anticipating and managing the impact of new technologies introduced into the enterprise (namely, IoT). Despite these challenges, it is incumbent upon security, IT, and operations teams to manage security risks and threats—which means that organizations must understand both their environment (beyond tools and technologies) and the business’s priorities and initiatives.

The intersection of business and security goals and understanding is a coveted state, one that few organizations have been able to achieve. Often security practitioners maintain a laser focus on “securing all the things,” leaving little room for setbacks or diversions, otherwise known as “security compromise.” While most in the industry understand that security compromise—at some level, even if not catastrophic—is inevitable, practitioners still tend towards a holistic attitude.

Though “absolute security” cannot exist, security practitioners understand that their job is to mitigate as many risks as possible—even though risk calculations and threat modeling continue to be murky and not necessarily in line with business expectations. To illustrate, only 41% of the Telstra survey respondents said they are concerned with loss of productivity during a major security breach. Even fewer—a scant 37%--see corrupted business data as a problem resulting from a major security incident. Concern for the loss of customers after a data breach worries only 31% of respondents.

Though “absolute security” cannot exist, security practitioners understand that their job is to mitigate as many risks as possible. #InfoSecInsider #infosec Click to Tweet

Though the Telstra study does not compare security/IT responses with those of CEOs, CFOs, and other non-technical business leaders, it’s probable that concern for short-term loss of productivity, data loss, and customers would rank significantly higher among the latter set. The loss of productivity, data, and customers, after all, are what hinder growth and revenue, and while we’ve yet to see a company shut its doors after a major breach, even temporary impacts can significantly alter a company’s ability to conduct business as usual, stock price, and even job security. The costs for cleanup and reputational remediation alone can be considerable, not to mention any imposed fines, litigation (if applicable), or monetary outlay for new technologies that help prevent future intrusions and damage.

Identifying the disconnect

It seems, then, that goals of the security/IT organization compared to the business may be misaligned. To further this point, when it comes to cyber preparedness, an average of only 40% of respondents said that security audits are a “high priority” for the business. A mere 33% said that risk assessments of internal systems are “high priority.” If an organization does not know its risk exposure—which would be ascertained through testing and assessments—there is very little chance it can implement the correct controls and processes that will lessen risk and friction for the business.

Interestingly, returning to an earlier data point that said respondents are most concerned about their ability to detect and respond to security incidents, it should logically follow that security audits and assessments become regular events among a greater number of security and IT organizations; security audits/assessments will uncover system weaknesses and compromises. Risk assessments, for their part, are largely based on the current state of the environment (which can be ascertained through a vulnerability assessment, penetration test, or other evaluation of systems and processes). There are, of course, external factors that feed into risk, some which may be out of the organization’s control, but what is directly under the control of the organization is its ability to gain a more thorough and accurate assessment of the environment through evaluation of assets, controls, and processes.

Connecting the dots

If the Telstra report is any indication of the greater security community worldwide, the problem isn’t in practitioners’ lack of ability to detect and respond to cybersecurity incidents, nor is it the introduction of new device types that, themselves, introduce risk; it’s in practitioners’ attention to their own concerns. At a basic level, security teams must:

  • Achieve a better grasp on the assets in their environment that require protection;

  • Implement the tools and testing that allow the team to understand areas of highest risk; then

  • Communicate with fellow business leaders to share findings and determine appropriate actions for the given environment.

Until security commits to an improved process for identifying cybersecurity vulnerabilities then following through on the actions that will remediate those vulnerabilities, we’re going to continue to see large-scale breaches and low confidence in the security team.

If you're looking to enhance your leadership skills and learn to align security with business priorities, attend MISTI's Security Leadership Exchange, May 20-22, 2018 in Ponte Vedra Beach, FL.