It is notable that many respondents in a recent survey expressed confidence in their overall cybersecurity strategy. Looking at the coverage of recent data breaches, though, this degree of confidence might seem unwarranted. Still, there is light at the end of the tunnel: both governments and businesses have started putting more emphasis on the topic and awareness has risen considerably within large enterprises, although not consistently.
As part of a study titled Building Confidence - Facing the Cybersecurity Conundrum , Accenture has conducted a survey among 2000 security executives about their perception of their companies' security posture. What is impressive is the high number of respondents who feel very confident about their overall cybersecurity strategy. The majority of firms included in this survey claim they succeeded in reshuffling their corporate culture with security concerns while getting support from the board/upper management.
Still, despite improvements, the number of data breaches is still increasing at an alarming rate and by now has reached a tipping point. The kind of dissonance between the perceived sense of security and the organization’s ability to deal with threats is likely due to an erroneous implementation of a security governance plan and to an incorrect budget allocation. It appears that at vital points, the wrong questions are asked and answered within organizations. The most pressing questions in this regard are "What is at stake?" and "Where to invest?" and those questions must be answered with security in mind. Eventually, the results show that businesses are having a hard time stopping malicious activities and prevent breaches completely. According to the study, around one in three targeted attempts at breaching security will lead to successful breach. Common problems are related to the company's investment strategy and the resulting security approach: Sometimes the urgency to achieve compliance goals clashes with mitigating risks that may have a negative impact on the business. Compliance engrosses big financial and organizational resources but does not protect a company.
What can organizations do then, when faced with those issues? We stressed already that a simple “sticking plaster” culture in cyber security is a kind of…plague. A thorough risk assessment is the only way to address the problem, as opposed to an approach and mindset that only deals with solutions at individual points within the whole concept. Most companies, amazingly, do not even know the real value of their assets and what needs to be protected. A modern culture of risk management could allow security teams to identify risks and then perform a simple cost-benefit analysis about whether or not an investments in a certain security measure makes sense.
What should really get us thinking is the lack of serious training initiatives. Cybersecurity readiness is to be considered a pillar, an area where to invest a lot in order to raise the level of awareness in every employee. Employees can be seen as “consumers of security”. A well-prepared employee can support the security teams and contribute to increase the level of confidence within the organization. For instance, if employees are sufficiently trained and are aware of the indicators, they can help detect and prevent security incidents. Actively engaging in security will then invariably improve the overall security in an organization.
So, in the end, an improvement in security confidence is just fine as long as a business is ready to efficiently deal with cyber threats and reach greater maturity.