Security

02:40 PM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

'Enlightened' Non-IT Execs More Likely To Run Secure Organization

Do senior executives understand their role in data security? On the whole, unsurprisingly, no.

A recent NTT Com Security survey of 800 senior business decision makers outside the IT department across industries (registration required) found that the education, actions, and opinions of senior executives has a significant impact on the organization's data security.

Executives were divided into four categories based on their understanding of security risk and commitment to protecting data. Respondents deemed "enlightened" on these topics were more likely to work in organizations that have strong data security policies, higher IT spend, and a more mature attitude about the value of their data. A minority of respondents fell into this category. Performance worsened in the organizations where executives fell into the "informed," "passive" or, worse, "complacent" categories.

Chris Camejo, director of assessment services at NTT Com Security and a leader in threat intelligence, told us the results of the survey are in line with his experience in the field. "There's probably the majority that know a breach is going to happen, and they want to do what they can to improve their defenses, and the remainder are just kidding themselves, because they're probably going to get breached, too."

According to the survey, 37% of all respondents said all the organization's consumer customer data is completely secure. "That's what's interesting to me," Camejo said. "So many people out there are saying, 'Yeah, yeah, yeah, we're secure. Nobody will steal our data,' when in reality that number is a lot closer to 100%."

He is part of an offensive security team that does system penetration testing on networks. There are two reactions he gets when he presents executives with a report of all the ways his team has broken past firewalls. "The more enlightened will say, 'That's along the lines of what they expected.' They know their security isn't perfect and want to do what they can to patch the holes. The others will argue with every finding, saying, 'No, that's not really possible. That's just theoretical.'"

Sometimes, Camejo's team is bought in by the IT guys to do the penetration testing, because they know there are issues, and they need something from a third party to drop on an executive's desk and say, "Look, we need budget and more attention on this."

Other times -- and more reflective of an "enlightened" and "informed" leadership -- the IT team tells executives all is fine, and there's nothing to worry about. "Executives come to us to test the systems and verify IT's claims. And woe to the IT guys if we compromise their network in a few hours after telling the executives everything is great." And then, of course, there is a third category, where everyone is on the same page, "everyone knows nothing is perfect and want a better handle on what they should fix first. It's not always an adversarial relationship."

Perhaps the most important disconnect between today's executives and their understanding of data security is understanding the risk to value. The report concluded that risk assessments, where decision makers look at what they are trying to protect and from whom, along with the financial implications of a breach, are still not happening enough. They should be the driver behind security decisions and where to direct budget and focus. Unenlightened respondents will be more subjective if they see the true cost of a breach.

"When you look at things like the Target and Home Deopt breach, how many people have walked out the door since that happened?" Camejo said. "If they aren't being proactive about hiring people with a better handle on information security, the problem isn't going to solve itself quickly." It will be addressed "fairly painfully."

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
11/26/2014 | 1:17:35 PM
Re: Kidding Themsevles
There is a skills gap between non-IT folks and security experts. But there is so much information available on best practices/check lists and tools that non-IT types could figure out whether they have adequate protections. I think there's no excuse to be uninformed given the wealth of security information that is out there. Even regulators are stipulating what questions they will aks head of cyber security exams.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
11/26/2014 | 11:59:08 AM
Re: Kidding Themsevles
Now that different regulatory agencies are starting to look at cyber security practices, I think board members will be talking a lot more about it over the next year.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
11/25/2014 | 2:39:59 PM
Re: Kidding Themsevles
Cyber security is now a board level issue. A number of execs have told us that the board of directors spends a lot of time examining security procedures and reports (more than ever before).
Becca L
50%
50%
Becca L,
User Rank: Author
11/25/2014 | 2:35:33 PM
Re: Kidding Themsevles
Wild, I agree. Chris made a great point about firms starting to cycle in new non-IT executives that at least have a grasp of security risk and value its role in the company - security is a company-wide issue, and organizations are realizing that all their executives (and all employees, if possible) need to be in some way "enlightened."
Becca L
50%
50%
Becca L,
User Rank: Author
11/25/2014 | 2:32:33 PM
Re: Kidding Themsevles
In an earlier interview with Chris Camejo he said something I thought was interesting - a proper perspective on security vulnerabilties. He said that when vulnerabiliteis are found today, it's not like they have just popped up, chances are they've been there since the begining of operation, but it's just now coming to light because hacking technology is making those loopholes more posisble to exploit. It's sort of like building a higher and higher wall while they build taller and taller ladders. Any firm that thinks they can just stop building up defenses is asking for an attack.
Becca L
50%
50%
Becca L,
User Rank: Author
11/25/2014 | 2:28:41 PM
Re: Kidding Themsevles
I couldn't believe that either, but I guess it goes back to the point that these executives are non-IT. They only know what they're told, or really able to understand about security. If IT tells them all is well, don't worry about our side of the business (just give us more money) I suppose they'll turn around and say it's secure.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
11/25/2014 | 11:55:29 AM
Re: Kidding Themsevles
An eye-opening statistic from the survey cited is that 37% of companies think their customer data is safe, while it should be closer to 100%. Thsoe that hire experts to perform penetration testing of their networks are more realistic about the skills of hackers. Yet they seem skeptical when vulnerabilities are found, calling this "theoretical."  
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
11/25/2014 | 5:43:35 AM
Re: Kidding Themsevles
Ha. Yes. As soon as you think you are secure and you have found every vulnerability, that is when you will be hacked. Complacency and security do not mix well.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
11/23/2014 | 8:26:49 PM
Kidding Themsevles
Any organization right now that thinks that it's totally secure against a breach has no idea what is going on in the world of cyber security. Any company out there can get hit right now.
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video