Businesses face a litany of existential threats: hostile takeovers, talent departures, unpredictable customer behavior, and market fluctuations – all deeply familiar risks that leaders have carefully planned for and assessed over decades. Yet these same leaders are often alarmingly unprepared for the most potentially damaging threat: a massive data breach that could mean the loss of everything... all in a matter of seconds.
The problems begin not with the “techies” in a company, but rather at the very top with the board of directors, as we learned when Nasdaq and Tanium teamed up to investigate how business leaders assess their own cybersecurity vulnerability. In the new study, “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility”, researchers at Goldsmiths, University of London, found a worrying gap between presumed and actual corporate readiness for data security incidents and a widespread lack of accountability at the top levels of organizations. That means that some of the world’s largest networks, holding some of our most precious data, are more vulnerable than their leaders believe.
The study surveyed 1,530 non-executive directors (NEDs), C-level executives, Chief Information Officers (CIO) and Chief Information Security Officers (CISO) across the United States, United Kingdom, Germany, Japan, Denmark, Norway, Sweden, and Finland. They discovered that, among the most vulnerable companies, 98% of those business leaders are not confident their organization can monitor all devices and users at all times, which means information is traveling through unknown places.
Additionally, 90% of respondents could be categorized as medium-to-high risk for a cybersecurity incident, and 40% of respondents admitted that they didn’t feel responsible for the repercussions of a cyberattack. Until cybersecurity awareness and readiness are understood and openly communicated by both board members and senior executives alike – and all employees are educated on their personal accountability – closing the gap between how vulnerable you are vs. how vulnerable you think you are is a bridge too far.
Information security is fast becoming the number one area of IT spend for Global 2000 companies. Information security saw a 24% average increase in spending from 2014 to 2015, according to PwC. Unfortunately, the security industry has failed to evolve at the pace of cyberhackers and most companies use technology that has not been updated in decades to protect their most sensitive data.
The same study found data breach incidents outpaced the spending, increasing by 38% worldwide last year. Why? Because we have seen that cybersecurity is not simply a technology problem. Though having the right tools and cyber-hygiene practices is of paramount importance to ensuring the right security posture, it’s only part of the equation. If the people who are responsible for safeguarding an organization’s data don’t feel responsible – or simply don’t know how to be – a company remains at great risk.
But there is cause for optimism. Not only do new technologies address the latency and scale issues of legacy security tools, this report identifies several actions all organizations can consider to open meaningful dialogue – from board to C-Suite to staff – to reduce vulnerability and ultimately close the accountability gap. Here are two to consider:
Create a Culture of Openness: Educate and empower the board
Most board members are not technologists, and even fewer have a cyber background. 91% of board members at the most vulnerable respondent companies are unable to interpret a cybersecurity report. But board members need to know what questions to ask in order to assess a company’s vulnerability – in the same way they ask questions regarding ﬁnancial concerns. In many cases, certain board members responsible for cybersecurity should be given extended training so they can be comfortable with the language and impact of the data they are presented. Nasdaq's board has several board members with a deep knowledge of what security means in the context of running a technology organization and how security incidents could impact the financial markets.
It is important to foster an environment of transparent communication in which cybersecurity can be talked about openly. Work collaboratively with governments, non-government organizations, and peers to understand the latest security threats and ways to work together to put out fires. The research shows that we need to move to a culture of openness: one that strives for transparency and maximum visibility. Admit that hacking is inevitable, but breaches are not. Strong response plans, employee training targeted to each level in the company, cultivating knowledge and information- sharing are crucial elements for strengthening cybersecurity. Specifically, companies should be focused on improving information ﬂows across the organization (including the board) and sharing information externally, too. This means being active with many industry consortiums, as they are all ﬁghting the same ﬁght.
Create a Culture of Vigilance: Acknowledge that cybersecurity is a fundamental threat to the business
If widespread education about the detrimental impact of cybersecurity is step one, then an honest look at the technology you use to keep safe and run the business is step two. Prevention-based security strategies have failed on a very public level. People, processes and technology are the cornerstones of a culture of vigilance and when holistically approached, the keys to staying one step ahead of the attackers. The reality is that most modern security tools are just abstracted versions of themselves from the past two to three decades. They lack the ability to answer basic questions like, “How many devices are in my network?” or “which applications are causing the most vulnerabilities?” It may sound simplistic at its core, but an organization cannot protect what it cannot see.
Kris McConkey, PwC’s lead for cyber and insider threat intelligence, detection and incident response commented to us, “One of the failings of the security industry or rather the industry as a whole, is that we're effectively taking all the same business processes that we've been using for the last 20-30 years, and trying to add more and more layers of technology on top to patch all the holes.”
We live in an exciting time, one where we use Internet-powered devices to connect directly with businesses, governments, each other and the world around us. As a result, we are able to solve problems quicker and live longer, happier lives. Cyberattacks represent an existential threat to this way of life and we need to make sure the right people, processes and the technology are in place to protect our most sensitive data. Now is the time that leaders across organizations take personal responsibility and play a more active role.
To read “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility” and discover the seven challenges that predict cybersecurity vulnerability, click here.
Orion Hindawi, Co-founder and Chief Executive Officer, TANIUM Orion Hindawi co-founded Tanium in 2007 and serves as its Chief Executive Officer. Orion leads product strategy and development of the Tanium Platform, in addition to all customer-facing technical operations and management functions. A technology visionary and accomplished inventor, Orion has led the development of enterprise-scale endpoint security and management platforms for the past 18 years at BigFix, Inc. (acquired by IBM in 2010) and Tanium, in addition to holding multiple software patents in the areas of network communications and systems management.
Orion works closely with Tanium customers on a daily basis in the pursuit of inventing new approaches for solving the significant challenges IT departments face securing and managing large, global enterprise environments. Orion also serves on the Tanium Board of Directors.
Lou Modano, Senior Vice President, Chief Information Security Officer and Global Head of Infrastructure Services, Nasdaq Louis Modano is Senior Vice President, Chief Information Security Officer and Global Head of Infrastructure Services for Nasdaq. In this role, he is responsible for leading the company’s information security risk assessment and governance activities as well as information security incident management engineering teams. He is also responsible for the development and implementation of Nasdaq’s global technology infrastructure and services, including networks, systems, storage, databases, cloud computing, office automation and data center facilities.
Mr. Modano and his global team support the underlying infrastructure behind Nasdaq’s trading and market systems, as well the Market Technology and Corporate Solutions businesses within the Global Technology group. Mr. Modano has more than 25 years of experience in building business value through strategic and innovative product development and information technology initiatives within the financial services industry. Prior to joining Nasdaq in August of 2009, Modano served as Senior Vice President at NYSE Euronext, where he held various senior leadership positions in operations, engineering, business development, sales, product development, and as head of the Sector/SFTI technology subsidiary.
Mr. Modano earned a Master of Business Administration from St. John’s University and a Bachelor of Science in Electrical Engineering from Polytechnic University
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.