News
Traditional Approaches To Cybersecurity Are ‘Outdated And No Longer Work’
May 2014 by Protiviti and Robert Half Technology
Traditional approaches to cybersecurity are no longer working and organisations that fail to update their strategies run the risk of significant financial and reputational damage. This was the major insight from the inaugural IT Leaders’ Roundtable events hosted by Protiviti and Robert Half Technology, which were attended by chief information security officers (CISOs) from a range of private and public sector organisations.
The main challenge lies in communication between CISOs/IT and the board, reported attendees. While boards of directors are aware of the risks associated with cyber crime, partly because of recent high profile attacks in the news and partly because of guidance from GCHQ and other government bodies, they tend to view expenditure on measures to tackle cyber crime as overheads, rather than risk mitigation.
A separate survey[2] found that nearly three-quarters (72%) of CIOs/CTOs indicate that cybersecurity is being prioritized by senior management, but that this number drops to 55% for small and medium-sized enterprises (SMEs). The primary reasons why the lack of prioritisation include lack of perceived imminent threat (39%), cost considerations (21%) and the belief that company information is not of external value (17%).
CIOs/CTOs were asked, ‘What is the primary reason why cybersecurity is not being prioritised by senior management?’ Their responses:
Lack of perceived imminent threat
39%
Cost considerations
21%
Belief company information is not of external value
17%
Not a regulated organisation
10%
Lack of understanding
10%
Other business initiatives of greater importance
3%
Jonathan Wyatt, managing director of Protiviti UK, said: “Our annual survey of the top business risks for UK executives shows that cybersecurity is among the top concerns for 2014, alongside regulatory change, economic conditions and political uncertainty. More boards recognise that cyber threats have the potential to disrupt core operations, bringing what was previously a low level IT concern to the senior decision making table.”
Attendees also reported that their boards were experiencing fear, uncertainty and doubt (FUD) fatigue and tended to believe that they could get away with current protection against cyber attacks – despite the fact that the world has changed significantly because of social media, mobile and cloud technology.
Ryan Rubin, managing director and leader of Protiviti’s UK Security and Privacy practice, commented: “Traditional approaches need to change to reverse the trends and help mitigate risk. The average cost of a data breach is $250 per record – and there are mounting expectations that a company will do something for customers whose information have been compromised. As well as reputational damage, companies can face costs that escalate very quickly.”
Charlie Grubb, Associate Director, Robert Half Technology added: “When we asked about the quality of information exchange around cybersecurity between IT and the board, organisations reported that this was mostly limited and reactive, rather than ongoing. The delegates’ experiences suggest that IT security professionals need to develop
