Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Kaspersky: Most CISOs Say Cyber Attacks Are Inevitable

The Kaspersky Lab report says that while the relationship between executives and CISOs is improving, there continues to be a disconnect around such issues as budgets and the risk of threats.

The bulk of companies' top security officials believe that cybersecurity breaches are inevitable, according to a report by Kaspersky Lab that also highlighted the changing roles of CISOs and their uneasy relationships with other C-level executives.

The report, "What It Takes to Be a CISO: Success and Leadership in Corporate IT Security," paints a picture of chief information security officers under increasing pressure to protect their companies against attacks that are extremely difficult to prevent while often lacking the financial resources they say they need and vying with other departments for budgets.

In addition, while many feel they are adequately involved in the business-decision process, their roles in defending against cybersecurity attacks may not be a high enough priority, according to Kaspersky researchers.

However, while there may be ongoing tension in the CISO's relationship with other top executives regarding budgets and the reality of today's modern security environment, things seem to be improving, even if only gradually.

"Although a number of studies have been released quantifying the impact of a breach, the ROI of IT security expenditure can still be hard to argue, as most calculations include probabilities and assumptions on the damage caused by breaches, including direct financial losses and the costs associated with reputational losses," Andrey Pozhogin, cybersecurity expert at Kaspersky, told Security Now in an email. "Therefore, there continues to be some disconnect between top-level management and CISOs in regards to security expectations."

However, Pozhogin said, overall the relationship between executives and CISOs has strengthened in recent years. He noted as an example that "the portion of IT budgets spent on security has increased in North America over the past year, for both enterprises and SMBs. This is evidence that cybersecurity is becoming more of a boardroom issue and a priority for companies of all sizes."

The survey, conducted by PAC for Kaspersky, questioned 250 IT decision makers in the manufacturing and service sectors earlier this year. Among the key findings is that 84% of CISOs in North America said that cyberbreaches are inevitable, listing ransomware, phishing, general malware and Trojans as among the most difficult types of attacks to respond to. Forty percent said financially motivated criminal gangs were the largest IT security risk, followed by malicious insider attacks (29%), and that such attacks were very difficult to prevent.

The ongoing digital transformation within most companies only heightens the risk of cybersecurity threats. The cloud and the uncontrolled cloud expansion by lines-of-business was cited by survey respondents as the top security risk, followed by social networks and mobility, all key factors in increasingly digital businesses. They also listed complex infrastructures involving the cloud and mobility, managing personal data and sensitive information, and the increase in cyber attacks as the top challenges CISOs face.

Kaspersky researchers note that the trend toward digital transformation should mean that cybersecurity becomes a top priority, which should lead to the CISO evolving to becoming more influential in important business decisions. Pozhogin added that 58% of CISOs said they are adequately involved in decision-making, an indication that their influence is growing.

"However, in addition to just involvement, it is important that security leaders are a part of the organizational hierarchy," he said. "Having a CISO at the executive level is still only typical in enterprises that are highly digital, highly sensitive or very large, and in North America, just 40 percent of cybersecurity managers are part of the C-suite. While the trend is headed in the right direction, there is still plenty of room to grow."

Other cybersecurity vendors have echoed the sentiment.

Trend Micro researchers in September noted that despite the rapid growth worldwide in the number of intelligent connected devices, only 38% of Internet of Things projects include input from CISOs and other IT security professionals. (See Why CISOs Need a Seat at the IoT Projects Table.)

There also is a disconnect between CISOs and executives regarding budgets. Budgets are growing -- 60% of CISOs in North America expect to see increases -- but getting the money they believe they need is difficult. There is no clear ROI that can be presented to executive teams for security spending and security professionals can't guarantee 100% protection from cyber threats. Thirty-six percent of CISOs surveyed said not being able to promise there won't be a breach has led to them not being able to get the security budgets they believe they need.

This is despite the growing understanding of the damage a breach can do to a company, both financially and to their reputations. Gemalto researchers found that the number of records breached in the first half of 2018 jumped 133% compared to the first six months last year, to 4.5 billion records. In addition, reports by CompariTech and Kaspersky found that data breaches can impact companies' long-term stock prospects and even cost C-level executives their jobs. (See Gemalto: 4.5B Records Breached in First Half of 2018.)

"The misalignment between CISOs and other executives most often happens because of a failure to clearly communicate the risk of an attack and its potential impact on the company's bottom line," Pozhogin said. "CISOs being experts in information technology and security tend to better understand the threat landscape and potential implications of each specific threat targeting their network. Other executives do not always have the same depth of understanding and the same level of operational insight, and thus they may downplay the risks, hoping that a minimal investment will suffice to establish a strong enough layer of defense."

Executives also tend to rely on "hope for the better," falling victim to the misconception that some industries are less likely to draw the same level of attention from attackers as others because there's nothing to steal and that companies that fall victim to a breach are targeted for reasons that aren't relevant to their own organization, he said.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...