Time for security leaders to claim a seat at the top table: Cisco
- 28 July, 2017 10:00
By collaborating regularly with the CIO, CTO, chief audit executive, and the chief risk officer, CISOs can gain a direct line to senior management and the board.
While revenue generation is still the top goal of most cyber threat actors, they now have the ability to lock systems and destroy data as part of their attacks, reports Cisco.
“Our researchers see this more sinister activity as a precursor to a new and devastating type of attack that is likely to emerge in the near future: destruction of service (DeOS),” says Cisco in its 2017 Midyear Cybersecurity Report.
With DeOS, adversaries now seek to eliminate the “safety net” that organisations rely on to restore their systems and data following malware infestations, a ransomware campaign, or any other cyber incident that severely disrupts their operations, according to Cisco.
The report, released early this week, further notes evolutions in ransomware, such as the growth of Ransomware-as-a-Service, make it easier for criminals, regardless of skills, to carry out these attacks.
Ransomware has brought in more than US$1 billion in 2016, but this may be misdirecting some organisations who face an even greater, underreported threat, says Cisco.
Business email compromise or BEC, a social engineering attack in which an email is designed to trick organisations into transferring money to attackers, is becoming highly lucrative.
Between October 2013 and December 2016, US$5.3 billion was stolen via BEC, according to the Internet Crime Complaint Center.
These developments have prompted Cisco’s call for security leaders to claim a seat at the top table.
Cisco says its latest Security Capabilities Benchmark Study found that security is a high priority for the top levels of many organisations.
As well, security professionals believe executive teams keep security high on the list of key organisational goals.
However, the number of security professionals who strongly agreed that their executive leadership considers security a high priority was 59 per cent in 2016. This is down slightly from 61 per cent in 2015 and 63 per cent in 2014.
“That decline in confidence may be misplaced,” says Cisco.
Chief information security officers (CISOs), in particular, may not realise senior management and boards of directors not only view cybersecurity as a high priority, but are also eager to hear more about the issue.
Cisco says executive teams are likewise looking for better and more information.
Almost a quarter of boards are dissatisfied with the reporting that management delivers on cybersecurity, says Cisco, quoting the National Association of Corporate Directors’ 2016–2017 Public Company Governance Survey.
The boards report the information they receive does not allow for effective benchmarking, is not transparent about problems, and is difficult to interpret.
Security experts with SAINT Corporation, a Cisco partner, suggest CISOs have a clear opportunity to fill that knowledge gap.
Reports about the organisation’s cyber risks or security needs should not be overly technical, says SAINT.
“Try to align the discussion about these issues with traditional risks that the company faces, and tie them to business priorities and desired outcomes. Also, be sure to emphasise how cybersecurity can be a growth enabler and competitive differentiator for the business. “
When alerting management and the board to a cyber attack, CISOs need to explain clearly what the impact is to the organisation. This could be around how many employees or customers are affected and what valuable data has been compromised.
They should also report on what the security team is taking to contain and investigate the threat and how long it will take to resume normal operations.
CISOs need to work with other leaders in the organisation, including those outside the technology department, SAINT further recommends.
“By collaborating regularly with a range of leaders in the organisation - the chief information officer, chief technology officer, chief audit executive, and the chief risk officer, to name a few - CISOs can gain a direct line to senior management and the board.”
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz