In Security, Silence is Not Golden

Wednesday, July 30, 2014 @ 05:07 PM gHale

Nearly 33 percent of IT security teams never speak with their company’s executives about cyber security and of those who did, 23 percent spoke to them once per year, a new report said.

This lack of communication and security awareness can greatly increase companies’ risk of experiencing some kind of attack, said Jeff Debrosse, director of security research at Websense, which sponsored the “Roadblocks, Refresh, & Raising the Human Security IQ” report by the Ponemon Institute.

RELATED STORIES
Breach Alert: Critical Infrastructure at 70%
Data Breaches: Not Learning from History
Sounding Off on Internet of Things
BYOD Use Surging; Policy Usage Weak

Debrosse said the “31 percent [of IT teams that do not speak with their corporate executives] will, at some point, find themselves on the front page because they’re not having a conversation about insider threats, APTs, etc.”

But even though they aren’t discussing threats with upper management, security teams are constantly thinking about them, which could contribute to the communications breakdown. An overworked employee might not have time to assemble a report and attend a meeting, though this is what they need to do. The executive suite might take silence on the IT team’s part to mean everything is running perfectly when, in reality, IT may need additional support or funding.

IT teams need to “really insist and show the ‘why’ of having security as part of executive team meetings and discussions,” Debrosse said. Whether that means offering a quick to-do list or even stating nothing has changed, it’s important to show the IT security team’s presence and differentiate themselves from the general IT department.

He suggested security leaders take advantage of cyber threat models, such as the NIST “Risk Management Framework,” to show the cost of risks and their solutions as well as to defend budget requests.

The report, which surveyed more than 160,000 IT security professionals in 15 countries to determine the challenges they face in dealing with cyber security threats, also found 47 percent of respondents felt frequently disappointed with the level of protection their security solution offers, and 52 percent of companies do not provide cyber security education to their employees. The majority of those surveyed work for financial companies, and the United States and India accounted for the largest portion of respondents.

Click here to register for the report.



Leave a Reply

You must be logged in to post a comment.