We recently surveyed 2,000 security executives at large, global enterprises and found that about one in three focused, targeted breach attempts succeeded.
Still, 75 percent of respondents were “confident” they were doing the right things with their security strategies, and a similar number said security is “completely embedded” in their cultures, with support from the highest-level executives.
Clearly, there’s a disconnect.
Surviving in this increasingly risky environment requires a cybersecurity “re-boot” to embrace an end-to-end approach that recognizes a spectrum of threats, minimizes exposure and identifies high-priority assets. This takes a few fundamental steps.
Are you confident that you have identified all priority business data assets and their location?
Are you able to defend your business from a motivated adversary?
Do you have the tools and techniques to react and respond to a targeted attack?
Do you know what the adversary is really after?
How often does your organization “practice” its plan to get better at responses?
How do these attacks affect your business?
Do you have the right alignment, structure, team members, and other resources to execute on your mission?
We believe security organizations need to improve the alignment of their strategies with business imperatives. While many organizations are making progress in compliance and risk management, security programs must continue to improve detection and prevention of more advanced attack scenarios.
Assess security incident scenarios to better understand those that could materially affect the business and identify drivers of and barriers to remediation and transformation strategies.
STRATEGIC THREAT CONTEXT
By anticipating future threats, gain insight on competitive and geopolitical risks and other areas to align security programs with business strategy.
THE EXTENDED ECOSYSTEM
Be ready to cooperate during crisis management, develop third-party cybersecurity clauses and agreements and focus on regulatory compliance.
GOVERNANCE AND LEADERSHIP
Focus on security accountability, nurture a security-minded culture and create a clear-cut chain of command.
Understand the threat landscape, design key asset protection approaches and use “design for resilience” techniques to limit a cyber attack’s impact.
CYBER RESPONSE READINESS
Have a robust response plan, strong cyber incident communications and the ability to ensure stakeholder involvement across all functions.
Drive financial understanding concerning investments across security domains and the allocation of funding and other resources.
Ultimately, security is everyone’s job.
While cybersecurity has gained full attention on company agendas, many chief information security officers (CISOs) still feel locked out of the C-suite. This isn’t necessarily a conscious snub; it’s more of a question of the security organization’s maturity level.
To succeed, CISOs have to step beyond their comfort zones and materially engage with enterprise leadership. Doing so will require them to speak the language of business to make the case that the security team is a critical pillar in the battle to protect enterprise value.
At the same time, the CISO needs to build the board’s cyber literacy with the goal of making it an equal priority to business risk assessment.
Effective cybersecurity requires organizations to achieve greater maturity regarding the main role of the security organization: protect the business from devastating losses.
By grasping the bottom-line impact of a breach, organization leadership will be motivated to act quickly.
And, as digital security strategies and new solutions emerge, organizations that tie security efforts to real business needs will gain justifiable confidence in their ability to deal with relentless and fast-moving threats.
Australia, Brazil, Canada, France, Germany, Ireland, Italy, Japan, Netherlands, Norway, Singapore, Spain, UAE, United Kingdom, United States
Understand extent to which companies prioritize security, how comprehensive security plans are, how resilient companies are with regard to security, and the level of spend for security.
Banking, Capital Markets, Communications, Energy (Oil & Gas), Healthcare (provider & payer), High Technology, Life Sciences, Products, Industrial Equipment, Retail, Utilities, Insurance.
Cybersecurity capability across 7 domains: business alignment, strategic threat context, the extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.
|THOSE SURVEYED INCLUDED|
|•||Security, IT and business executives at director level and above|