Part of the problem in managing cybersecurity challenges revolves around the fact that security isn’t seen as a critical business problem by senior executives and board members alike.
The recent 2017 global survey on the changing attitudes towards cybersecurity in business by Fortinet reveals that cybersecurity does not rank amongst the high focus areas for board members of organisations.
Surveying over 1,800 IT decision makers, Fortinet found that almost half of respondents believe that security is still not a top priority discussion for the board. At the same time, they also strongly contend that cybersecurity should become a top management priority, with 77% of respondents indicating that the board needs to put IT security under greater scrutiny, says Paul Williams, Country Manager for Southern Africa at Fortinet.
“One would assume there would have been a substantial uptick in interest by boards as a result of some of the most recent security attacks—and the dire implications they had on the targeted businesses,” says Williams. “However, even though boards do react when security attacks occur, their actions are generally reactive rather than prescriptive. Specifically, boards appear more involved in post-breach management than prevention.”
For example, the survey reveals that 77% of boards demand to know what happened after a security event occurs, and 67% review or increase security budgets. Security leaders obviously still have much work to do in up-levelling security to the board level.
Williams says findings from the survey corroborates the statement that no organisation is immune from the threat of breaches, ransomware attacks, or operational disruptions. Companies of all sizes and shapes as well as all industry segments are targets as 85% of respondents indicated that they suffered a security breach in the past two years, with almost half reporting a malware or ransomware attack.
There are a number of factors driving boards, executives, and IT decision makers to make cybersecurity a top priority in 2018.
According to Williams the more significant ones are:
Security Breaches and Global Attacks. The vast majority of organisations have experienced some type of security breach or attack in the past two years. 49% of survey respondents said their organisations increased their focus on security following a global attack such as WannaCry. Increased publicity and attention, along with implications on brand reputation and business operations makes these board-level issues rather than IT operational undertakings.
Attack Surface. The adoption of the cloud, emergence of IoT, and growth in big data expands both the circumference of the attack surface as well as its complexity. 74% of survey respondents indicate cloud security is a growing priority for their organisations. Half say their organisations plan cloud security investments over the next 12 months. IoT is just as big a factor when it comes to the ever-expanding attack surface. The number of connected IoT devices is predicted to balloon to more than 8.4 billion by yearend according to Gartner. Of these, 3.1 billion belong to businesses. As many IoT devices are difficult to protect, experts concurrently predict that more than 25% of all security attacks will target IoT devices by 2020.
Regulatory Compliance. New government and industry regulations are also increasing the importance of security. 34% of respondents indicated that these regulations heighten the awareness of security at the board level. Passage of the General Data Protection Regulation in the EU, which goes into effect in 2018, is one such example.
“These trends are forcing cybersecurity to be seen as a strategic issue, within an organisation’s broader risk management strategy, rather than a simple IT investment. To succeed in their digital transformation efforts, IT security leaders must rethink their cybersecurity approach with a view to extending visibility across the attack surface, shortening the window between time to detection and mitigation, delivering robust performance, and automating security intelligence and management.”