As threat actors gain momentum with a continued onslaught of COVID-19-related malware and phishing scams, security and business leaders are concerned about the impact on the enterprise. According to a new report from Tenable, 94% of survey respondents experienced a business-impacting cyberattack within the last year, and 46% of businesses suffered five or more attacks.
One of the causes noted was a disconnect between an organization’s business and security, and it was exacerbated by the COVID-19 outbreak:
- By April, 41% of respondents had at least one cyberattack directly related to COVID-19 in the last 12 months
- The report found 96% of respondents developed COVID-19 response strategies: 75% of business and security leaders said their COVID-19 response strategies are only “somewhat” aligned
- Within two years, 77% of executives expect cyberattacks to increase
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
A “security program should include identifying every asset across all computing environments and understanding the exposure of each, including vulnerabilities, misconfigurations, and other security health indicators,” said Nathan Wenzler, chief security strategist at Tenable.
Impact of cyberattacks
Cyberattacks can have a major effect on the enterprise, affecting not only daily operations, but can permanently damage a company’s reputation if not addressed immediately. The report revealed what respondents experienced:
- 36% lost sensitive data or productivity
- 35% experienced financial loss or theft
- 32% experienced identity theft
It’s evident businesses need response strategies for breaches, but 75% of organization leaders don’t feel in sync on the strategies. Business leaders demand a clear picture of cybersecurity, while its security leaders struggle to find clarity.
Connecting the disconnect
Only 40% of security leaders can answer with a high level of confidence, “How secure, or at risk, are we?” But, according to the report, only a cybersecurity leader who aligns strongly with an organization’s business leader can be confident in response. Only four in 10 security leaders meet this requirement. The report identified a disconnect between business and security on how to handle cyber risk. Less than 50% of security leaders understand the relationship between a cybersecurity threat and how it directly affects a specific business risk, while not enough security leaders (51%) believe in a coordination with business stakeholders’ needs, regarding cost, performance, and risk-reduction objectives.
Despite the rash of cyberattacks, only 25% of security leaders regularly review security’s performance metrics with business stakeholders.
Failure to communicate
While cybersecurity attacks can have tremendous impact on a business’ financials, reputation, and sustainability, cybersecurity is rarely integrated fully into a business strategy. Clear coordination between security leaders and business executives is critical. There’s not enough discussion on cybersecurity strategy: 47% of security leaders frequently discuss cybersecurity with business execs, and 42% of business executives rarely, “if ever,” consult with security leaders on business strategies.
Even if policy requires security leaders to apply business risk-management objectives and vulnerability prioritization practices, only 44% of security leaders comply. More than 50% of security leaders report security has a comprehensive assessment and understanding of what’s vulnerable to attack. To measure their organizations’ risk, fewer than 50% of security organizations use threat metrics that incorporate business risk context.
SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)
“Approaching security program efforts from a risk management perspective allows security leaders to improve misalignment and elevate the conversation around cyber risk within the organization,” Wenzler said. He suggested security leaders create a simplified, unified language “that isn’t overtly technical and frames cyber risk in such a way that’s easy for everyone to understand” so security and business leaders can make better decisions on managing risks. He added, “This is where we see the most successful CISOs and security leaders advocating for the security of both the technology and the business; evolving from technology experts to that of business-aligned security leaders.”
Not only do security leaders analyze and prioritize potential cyber risks (despite limited threat context), but execute remediation based on what business leaders consider critical assets.
An organization can expect a good outcome when security and business are in sync with agreed-upon contextual data. Business-aligned security leaders are eight times more likely–as their peers who operate in isolation–to be highly confident in reporting the organizations’ security or risk level. Many business-aligned organizations (80%) employ a Business Information Security Officer (BISO), compared with 35% of their less-aligned counterparts.
Secure or at risk?
Other findings from the report:
- 72% of (the successful) business-aligned security leaders are “very or completely confident in their ability to report on their organizations’ level of risk”
- 9% of security leaders who are not working in tandem with business reply with the same level of confidence
- 85% of those business-aligned security leaders use metrics to track cybersecurity return on investment (ROI) and a business’ success
- 25% of security leaders not working in tandem with business are not only isolated, but reactive, and do not employ metrics.
4 key takeaways from the report
The report offered these four important items to keep in mind:
- A “climate of uncertainty” is ripe fodder for cybersecurity threats and creates a higher profile concern, a topic of board-level visibility.
- Security leaders really grapple to provide business leader peers with what the latter wants: Clarity on the company’s cybersecurity.
- Many organizations don’t align security with business, which creates a “disconnect” in managing cyberattacks.
- Cybersecurity must develop in tandem with business strategy.
The enterprise needs a new approach to security. Wenzel explained, “One that elevates and aligns the role of the CISO with other business leaders. Information security is really a risk management function,” not just an IT function.
Tenable commissioned Forrester to conduct an online survey of 416 security and 425 business executives, and to interview five business and security executives to examine cybersecurity strategies and practices at midsize to large enterprises.