Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/28/2016
09:50 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

KPMG Study: Breaches Up, Security Spending Down

81 percent admitted to a recent breach but less than half said they'd invested more in security as a result

Finally, some numbers to put to one of business's biggest security disconnects: More than 80 percent of "C" suite executives admitted their companies have been breached in the last two years, but less than half said they've actually invested in any kind of information security product or service as a result.

The findings were part of a KPMG LLP's Consumer Loss Barometer report, released this week, which surveyed 403 CIOs, CISOs, CTOs and CIOs.

Respondents in the retail sector counted the most breaches, with 89% reporting yes, followed by automotive (85%), and banking and technology companies (76%). On the spending side, 66% of banking respondents said they'd made some sort of security investment, followed by technology (62%), retail (45%), and automotive (32%).

The disconnect between the high volume of breaches and low amount of security spending reflects a growing sense of overwhelm, particularly among CXOs, according to Greg Bell, KPMG's cyber US leader.

"We started using the term 'cyber fatigue' about 18 months ago and it's only accelerated," Bell says. It's not just an increase in the volume of breaches companies are experiencing, but also new kinds of risk that CXOs must learn about – and respond to strategically.

"Security should not be a function of IT but of business innovation," Bell says, underscoring one of the mantras from the report. "As you offer a new product, partner with new partners, or introduce services to a broader, global market, they all require a shift in security control," he adds. "If you don't align it with how the business is growing and innovating, you may be spending your security investment incorrectly."

To back that up, Bell points to an unnamed insurance company he talked to where the CISO was spending a lot of money to protect the company's dealer network. But another executive from the same company told Bell the medium-term plan was to get rid of dealers in favor of an app. The money spent on endpoint protection for the dealers was pointless and wasteful.

Bell also cited the changing nature of the automotive industry, where a strategic focus on security has lagged in comparison to other industry sectors. He also points to advancements in the infotainment elements of vehicles, not to mention GPS and autonomous driving features that have changed how consumers buy. "Consumers are also concerned about hacking and 80% don't want to buy a car that's associated with being hacked," Bell says. More than half of all auto companies lack an executive solely responsible for security – no CISO or its equivalent. "Auto makers aren’t aligning their spending with what their customers are thinking about," Bell says.

Infosec professionals regularly deal with projects where they start to deploy some new security product, only to have something better -- and cheaper -- come along as they near completion with now-older technology. By aligning security spending with innovation and the larger business strategy, companies can rescue infosec professionals who struggle to justify their expenditures, Bell says.

There's also concern among executives around security as they watch (and approve) lots of money getting spent to address vulnerabilities and improve safeguards, according to Bell. But yet the number of threats, hacks and actual breaches continues to increase. So while organizations may need to spend more on prevention and detection, there's nothing that can ever completely eliminate the threats. "That's been a mixed message to executives," says Bell, "and we need to articulate that better."

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/1/2016 | 7:30:37 AM
Re: Proactivity vs Reactivity
@Ryan: For that matter, how do you feel about the relationship between the CISO, the CCO, and the CPO?  In many organizations, one of these does the job of another -- if not all three.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/31/2016 | 10:15:55 PM
Re: Proactivity vs Reactivity
Also a divorce of the roles is probably for the best.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/31/2016 | 10:08:15 PM
Re: Proactivity vs Reactivity
I've put a lot of thought into this conflict of interest in the past between the CIO's goals and the CISO's. As you stated in your article, the success metrics for each is different. Cyber Security is more of a cost saving mechanism than a revenue earning mechanism, and unfortunately for InfoSec professionals the latter is held in higher regard.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/30/2016 | 7:26:56 AM
Re: Proactivity vs Reactivity
Indeed, even the federal government has taken note of the CIO-CISO conflict of interest.  Capitol Hill Republicans have proposed having the CISO of the Department of Health and Human Services answer to the General Counsel, as can be seen in this report from last year: energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/114/Analysis/20150806HHSinformationsecurityreport.pdf

Now, a bipartisan bill before Congress proposes separating the office of the DHHS CISO entirely -- completely divorcing the role of the CIO.  See, e.g., fcw.com/articles/2016/05/27/hhs-ciso-hearing.aspx
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/30/2016 | 7:23:30 AM
Re: Proactivity vs Reactivity
@RyanSepe: The notion isn't novel -- and one of the primary justifications for it is that the CISO and the CIO have an inherent conflict of interest.

I wrote about it for InformationWeek last year, in fact: informationweek.com/strategic-cio/cyber-security-and-the-cio-changing-the-conversation/a/d-id/1320660
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/29/2016 | 3:47:59 PM
Re: Proactivity vs Reactivity
Personally, I think that cybersecurity has come to the point where it really is its own discipline. When it comes to protecting an organization, cybersecurity has to have an equal voice at the table, and any tiebreaker should come from the one who is responsible for the organization as a whole. That usually falls on the shoulders of the CEO. Anytime you place security under another line, it takes a back seat and no longer has a fair voice at the table. For instance, if the CISO falls under the CIO, there is an inherent conflict of interest. IT is tasked with delivering technology to enable the business, whereas security needs to ensure that the technology is safely delivered (an oversimplification, I know, but it illustrates the point). If a situation arises where those come into conflict, IT generally overrules security. I have seen this happen. I have seen a CIO reclassify a security position because IT needed another FTE and did not have an open req. How does that help security? In that particular case, the security position that was reclassified was never reinstated or replaced. It was a permanent loss for security.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2016 | 1:54:47 PM
Re: Proactivity vs Reactivity
That's an interesting point of view that I have yet to hear having the CISO under the CFO. Definitely seems plausible. Typically what I have seen is the CISO under the CIO. Do you think it would be more beneficial to have the CISO under the CFO, like you stated, or on the same level as the CFO all under the CEO?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2016 | 1:52:20 PM
Re: 20% ?
Yes, I have heard variations of this same premise elsewhere. I do agree with this to a certain extent. I think what it comes down to was how severe was the hack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/29/2016 | 1:29:13 PM
Re: Proactivity vs Reactivity
@Dr.T: Yet another (of many) reasons the CISO should report directly to the CFO.  If security comes more directly under the CFO's purview, the fallout of a breach or data loss/compromise will hit the CFO more directly.  Then they'll start budgeting better.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
7/29/2016 | 1:27:23 PM
Re: 20% ?
An MIT Professor and cybersecurity expert I know, Stuart Madnick, always has this quip to share at every presentation he gives: "There are two types of organizations: Those that know they've been hacked, and those that don't know they've been hacked."
Page 1 / 3   >   >>
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.