No Place For Passivity in Cybersecurity Leadership
By and large, the news in 2017 was not good on the cybersecurity front. Whether you follow media headlines or industry studies, attacks are up, breaches are larger and threat actors are more sophisticated than ever. Unfortunately, many organizations fail to take basic precautions to mitigate these risks. As a result, breaches often go unreported, leaving millions of customers unaware that their personal data is exposed.
The technical challenges are growing, but technical solutions are also increasingly available. However, many of these tools go unused or unnoticed by organizations. The real issue here is cybersecurity leadership — or a lack thereof.
Staying Out of the Spotlight
CIO Insight detailed some of 2017’s most noteworthy breaches and the blunders that put those companies in a negative media spotlight. Failures at the leadership level included negligence in risk management and poor handling of incidents after they occurred. These lapses ran the gamut from embarrassing to infuriating.
For example, a cybersecurity consulting firm failed to implement basic protections on its network and took months to discover that its most confidential customer discussions were exposed. Similarly, a financial firm failed to notify millions of consumers that their data had been compromised and even endeavored to mislead them once the breach went public.
Study results may not be quite as vivid, but they are just as alarming. According to the Identity Theft Resource Center (ITRC), the total number of breaches rose 40 percent in 2016, and midyear report by the same firm predicted another 37 percent jump by the end of 2017. Furthermore, a recent Ponemon study revealed that 56 percent of companies experienced a breach due to third-party error last year, a 7 percent increase over 2016.
At least we can conclude that false confidence is not the problem. Only 17 percent of respondents to the Ponemon survey said their organizations were effective in minimizing third-party risk, down from 22 percent a year ago. In addition, only 35 percent said they expected their third-party partners to promptly notify them of a breach. When it comes to fourth parties and beyond, that number fell to just 11 percent.
The Cybersecurity Leadership Deficit
All of these failures, CIO Insight noted, point to “a completely broken mindset and haphazard approach” to cybersecurity. This attitude is shaped from the top, if only passively, through inaction. As such, it can only be changed from the top. That’s why security leaders must help executives understand the organization’s risk posture from both a security standpoint and a business perspective. For their part, top leadership must become more involved in cybersecurity initiatives and budget accordingly.
The essential element of leadership is not in the particulars, but in active engagement with security challenges. Attackers are out there, but effective defense measures are available to help organizations protect their most sensitive data. Cybersecurity leadership consists of recognizing the dangers and taking them on, not reacting with passivity and evading responsibility.