Cybersecurity continues to be a hot topic these days, but it’s unclear whether CIOs are doing too much or too little to tackle the problem. Sometimes it seems as though enterprises are developing the same attitude about breaches that Californians have about earthquakes – sure, we’re vulnerable, but what are the chances of it shaking really, really bad right where I’m standing?
Consider this piece in Wired last week from Sonali Shah, vice president of products at BitSight Technologies, which company claims to provide ratings for technology risk the way a company like Dun & Bradstreet might provide credit ratings for financial risk. She writes of a real Goldilocks dilemma – some people think cybersecurity efforts are too soft, while others think they’re too hard. She cited her own company’s February 2014 survey, which found that “82% of the 460 companies assessed had an externally observable security compromise in 2013.”
(As a skeptical journalist – especially one who’s done a lot of research in the governance, risk, and compliance (GRC) space – I wonder what constitutes “an externally observable security compromise.”)
On the other side of the bed, Shah cited three other recent surveys, done variously by consulting groups, analysts, and magazines focusing on security, revealing that sound majorities of executives, from both business and IT, from C-level down to directors, are confident with their companies’ security posture.
Further confusing the too-hard/too-soft issue: what’s the real weak link in enterprise security? Clearly, as retailer
Reports like this also bring up the ignorance versus apathy question. Do users not know about security policies or simply don’t care? The survey results also note these hair-raising statistics:
- 52 percent said it’s more convenient to use a tool that they know well
- 33 percent reported that recipients have had trouble accessing files sent through the company system
- 18 percent said they use alternatives [for mobile devices] because the company’s tool does not offer mobile access
Targeting your employees for education may not only be financially prudent but also fruitful. George Grachis, information systems security manager for Satcom Direct, a global satellite company, writes in CSO last week of the importance of what he calls “human sensors.” Use your employees to flag issues, focusing on education: “Reach out to them in a monthly newsletter, cover topics in a web based format with interactive videos and one single topic like phishing, mobile malware, or data privacy. … Be creative and show passion for cyber security, it will get users excited about learning.” (For more tips, see also this CIO article from last month on testing the security savvy of your staff.)
Unfortunately, the answer to what’s “just right” in terms of cybersecurity defenses remains elusive. Is it technology or education, or both? Finding that balance requires many interlocking steps: acknowledging that there is a problem, acknowledging that there are multiple ways to tackle the problem, and working to make protection part of the business process rather than an annual optional seminar. It’s not easy, but the alternative may be coming to work one day and finding that someone has been sleeping in your data.
Email CIO Next Community Manager Howard Baldwin if you’re a CIO who wants to spout off in an opinion piece about your security challenges.
Note: This story has been updated to properly identify Sonali Shah's gender as female, and Bitsight Technologies' report being released in 2014, not 2013.
