CybersecurityData breaches notwithstanding, many companies still blasé about cybersecurity

Cybersecurity industry analysts predicted that the 2014 data breaches which plagued Target, Home Depot, and JPMorgan, would elevate information security to “top priority concern” among corporate executives. This has not been the case, as recent surveys of chief information security officers (CISOs) and technology executives at the world’s largest companies show mixed attitudes at best.

In a Raytheon-Ponemon Institutesurvey of 1,006 chief information officers, CISOs, and other technology executives in North America, Europe, and the Middle East/North Africa region, 78 percent said their boards had not been briefed on their organization’s cybersecurity strategy over the past year. Just 25 percent of respondents reported that senior management viewed security as a strategic priority, while 75 percent said cybersecurity was viewed as a necessary cost.

According to Christian Science Monitor, the Raytheon-Ponemon survey suggests that public concern with data breaches has failed to change the attitudes of many executives towards cybersecurity. Jack Harrington, Raytheon’s vice president of cybersecurity and special missions, says that organizations are slowly adopting cybersecurity as a priority, and many high-level executives still view data breaches as something that only happens to others. “The Target hack was very interesting,” Harrington says. “It raised awareness across the entire retail industry certainly,” but at the time, the number of CISOs that Target had ever hired was zero.

“That tells you they felt they didn’t even need that position. They just didn’t feel at risk.”

A survey of 269 security professionals by International Data Corporation (IDC) tells a different story. The study showed that 42 percent of CISOs reported to their company’s board of directors on a quarterly basis, and more than 60 percent said the frequency of their interaction with board members had increased in recent months.

Data from both surveys, however, show that few CISOs still report directly to the chief executive despite the increasing importance of information security. Only 14 percent of CISOs in Raytheon’s survey and 15 percent in the IDC survey reported directly to their organizations CEO.

IDC analyst Pete Lindstrom says much of what is reflected in the surveys lies in the interpretation. “Some of this is really framing how you want to say it,” he says. “You could look at it as a glass half-full, glass half-empty kind of thing.” Having only 15 percent of CISOs reporting to the CEO after 2014’s data breaches might be alarming, but he points out that another 50 percent reports to an executive that reports directly to the CEO. Lindstrom recommends that security organizations and executives who claim to not receive the attention they need from senior level executives should assess their approach to risk management. “It is the business oriented risk-reward folks who succeed,” not the paranoid ones, he said.

John Pescatore, director of the SANS Institute, responds to both surveys, saying “I don’t think it makes sense to equate ‘focusing on security’ with ‘boards of directors actively participating in security strategy.’” The companies that are “‘most’ focused on security need the ‘least’ board involvement, just the way companies that are the ‘most’ focused on quality or operational excellence or service to the customer need the ‘least’ board involvement. Boards of directors are most actively involved in mergers and acquisitions and 75 percent of those have negative results”