While suffering a cyberattack may be an eventuality these days, one organization's experience with cybercrime can be very different from another's. Anecdotal evidence from business leaders regarding information security can be interesting, but it's impossible to understand what's truly going on in the industry without gaining insight from hundreds of organizations.
That's why the data from "Business and Economic Consequences of Inadequate Cybersecurity," a recent survey conducted by the Centre for Economics and Business Research (Cebr) on behalf of CA Veracode, is so important. It asked over 200 C-level executives from the United Kingdom for their thoughts on cybersecurity. While the complete results are worth reading for any CISO, a handful of findings are more salient than the others. Here are the top five lessons CISOs can learn about cybersecurity:
With all the research surrounding them, it's easier than ever to compute the costs (reputational, financial and otherwise) of cyberattacks. However, the survey found some hidden costs that many CISOs may not have considered. After suffering an attack, businesses experience significant increases in their IT spend, sometimes equaling or exceeding the amount of their lost revenue from the attack. While in some cases this rectifies a situation where cybersecurity wasn't properly funded, in others it merely represents an attempt to throw money at a problem and is just as damaging as lost revenue. CISOs need to factor in these additional costs when computing the entire impact a breach could have on the business.
The C-level executives surveyed ranked IP theft as their sixth-highest concern, yet the numbers show IP theft accounts for 34 percent of all UK cybercrime. Not only does this fact show that executives are unaware of how cybercrime affects their bottom lines, but it also means that most aren't aware of the current trends within the industry. While businesses in the United States are more concerned about IP theft, this still shows the disconnect between the C-suite and the reality of the situation when it comes to cybercrime.
This disconnect is even more jarring in light of the fact that more than half of CEOs hold themselves accountable for successful attacks against their businesses. Of course, it's difficult to determine how much of this response is just "the buck stops here" and how much is actual concern over the organization's cybersecurity efforts, but if it's not already, the spotlight will soon be fully on InfoSec departments. CISOs can expect to see the rest of the C-suite, or at least their CEOs, take an active interest in areas such as application security and threat intelligence.
In a perfect world, cybersecurity would exist alongside business operations, ensuring that the systems were safe without interfering with operations in any way. The reality, however, is quite different.
More than half of C-level executives believe cybersecurity blocks innovation to some extent, with more than 20 percent of CEOs, CIOs and CTOs believing it happens at least moderately. This speaks to the need for CISOs to better integrate cybersecurity into existing workflows. Some disruption is always necessary, but the C-suite should view it as minor, rather than how it is viewed today.
With all the media attention cyberattacks and lost business attracts, there may be some perception that the government will begin to crack down on the issue — but that's not how the C-suite sees things. The vast majority of CEOs, CFOs and CTOs rated the government's performance in combatting cyberattacks as average or worse, with the vast majority of CTOs providing a poor rating.
While certain aspects of the government, such as defense, will continue to be at the leading edge of technology, in general there will only be movement once things really start to get out of control, which may be far too late for most businesses. At best, the government should be viewed as an asset that will occasionally enhance collaboration between organizations and industries through programs and directives, but most businesses will be on their own when it comes to actually fighting cybercrime.
While the views presented in the survey make up a small segment of businesses within the United Kingdom, the results can certainly translate to the United States as well. CISOs who take these lessons to heart, and who investigate the rest of the survey results, will find themselves better suited to prevent cyberattacks within their own organization and better able to communicate InfoSec concerns to the other C-level executives.
Want to learn more? Check out the rest of Cebr's survey.
Photo Source: Flickr