Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

SEC

Survey Shows Lack of Trust, Limited Visibility and Knowledge Gap between the Board and IT Security Professionals

There are significant gaps in cybersecurity knowledge, shared visibility and mutual trust between those who serve on organizations’ board of directors and IT security professionals. These gaps between those responsible for corporate and cyber governance and those responsible for the day-to-day defense against threats could have damaging impacts on organizations’ cybersecurity posture, leaving them more vulnerable to attack and breaches.

This data comes from a new survey, Defining the Gap: The Cybersecurity Governance Survey, conducted by the Ponemon Institute and commissioned by Fidelis Cybersecurity.

Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.

The survey asked more than 650 board members and IT security professionals (mainly CIOs, CTOs and CISOs) for their perspectives regarding board member knowledge and involvement in cybersecurity governance.

Key findings include:

Lack of Critical Cybersecurity Knowledge at the Top

76% of boards review or approve security strategy and incident response plans, but 41% of board members admitted they lacked expertise in cybersecurity. An additional 26% said they had minimal or no knowledge of cybersecurity, making it difficult, if not impossible, for them to understand whether the practices being discussed adequately address the unique risks faced by their organization. This renders their review of strategy and plans largely ineffective.

Limited Visibility into Breach Activity

59% of board members believe their organizations’ cybersecurity governance practices are very effective, while only 18% of IT security professionals believe the same. This large gap is likely the result of the board’s lack of information about threat activity. Although cybersecurity governance is on 65% of boards’ agendas, most members are remarkably unaware if their organizations had been breached in the recent past. Specifically, 54% of IT security professionals reported a breach involving the theft of high-value information such as intellectual property within the last two years, but only 23% of board members reported the same, with 18% unsure if their organizations were breached at all.

As the breadth and severity of breaches continues to escalate, cybersecurity has increasingly become a board level issue,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “The data shows that board members are very aware of cybersecurity, but there is still a lot of uncertainty and confusion. Many lack knowledge not only about security issues and risks, but even about what has transpired within their own companies, which is shocking to me. Without an understanding of the issues, it’s impossible to reasonably evaluate if strategies and response plans are effectively addressing the problem

Absence of Trust Between Boards and IT Security Professionals

The board’s lack of knowledge has created a further divide. Nearly 60% of IT security professionals believe that the board does not understand the cybersecurity risks of the organization, compared to 70% of board members who believe that they do understand the risks.

The gap in knowledge and limited visibility into breach activity means board members don’t have the information they need to make smart cybersecurity governance decisions, and IT security professionals don’t have the support, monetary or otherwise, to maintain a strong security posture,” said retired Brig. Gen. Jim Jaeger, chief cyber services strategist at Fidelis. “Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks their organization faces and be able to provide the support needed for the security teams to protect against those risks

Additional Key Findings Include:

  • Target breach was a watershed moment. 65% of board members and 67% of IT security professionals reported that the Target data breach had a significant impact on the board’s involvement in cybersecurity governance, while previous high profile breaches were reported to have nominal or no impact.
  • The SEC will drive drastically increased board involvement. The Securities & Exchange Commission (SEC) Guidelines requiring the disclosure of material security information had a significant impact in boards’ involvement, according to 46% of board members and 44% of IT security professionals. However, only 5% of board members and 2% of IT security professionals say they followed the SEC guidelines and disclosed a material security breach to shareholders. Moving forward, 72% of board members believe the SEC will make the guidelines a mandate, and 81% believe that this will increase the board’s involvement in cybersecurity governance.

Disclosure rules clarified, or made more confusing?

Seal of the U.S. Securities and Exchange Commi...
Image via Wikipedia

Following the UK’s Information Commissioner’s call for compulsory audits and Disclosure Laws in France and Germany the US Securities and Exchange Commission (SEC) has release a statement containing Disclosure Guidance.

In setting the scene for their Gisclosure Guidance the SEC points out the risks and results of a Cyber attack,

Victim(s) to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused.
  • Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
    Litigation; and
  • Reputational damage adversely affecting customer or investor confidence

When identifying the situations when a post Cyber Attack disclosure is required the SEC notes the following:

  • Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
  • Registrants should address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.
  • If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant’s “Description of Business.”
  • If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its “Legal Proceedings” disclosure.
  • To the extent a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, registrants should consider whether disclosure of a recognized or nonrecognized subsequent event is necessary.

As with other governmental “guidance”, the overall theme is slightly vague. Even the initial summary raises the question “why offer the guidance if it has no meaning or enforcement“.

This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.”

It is going to take an organisation to suffer a data breach and then not deal with the resulting fall-out in a professional and appropriate way for the SEC to step in and make an “example” of them. Then the case will be proven and the vagueness will be taken out of the guidance, hopefully.

As always, the answer is prevention it is better than the cure. Some simple precautions are below:

  • Policies. Ensure your staff know how to deal with data and to know what to if a breach of suspected breach occurs
  • Procedures. Documented and test procedures for data handling, change management, etc
  • Security Solutions.  Do not rely on Anti Virus and Firewalls, implement access controls, Security Information & Event Management (SIEM) and of course Encryption.
  • Audits. Regular and thorough audits or people, processes and solutions
  • Incident response planning and testing. No matter how much time and money is invest in prevention things can go wrong and it is how an organisation deals with the incident that can be the difference a good or bad outcome.

The SEC’s full statement is here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: