Even as cyber-threats circulate, the boards of directors at many enterprises continue to remain out of the loop when it comes to security.

A new study from the Ponemon Institute found that 78 percent of the more than 1,000 CIOs, CISOs and senior IT leaders surveyed had not briefed their board of directors on cyber-security in the last 12 months. In addition, 66 percent said they don’t believe senior leaders in their organization consider security a strategic priority.

The findings follow a recent survey from the National Association of Corporate Directors (NCD) that found that more than half (52 percent) of the 1,013 corporate directors surveyed were not satisfied with the amount of information they were receiving about cyber-security. In addition, 36 percent said they were unsatisfied with the quality of that information.

“For a long time IT issues were seen by Boards of Directors as jammed printers and computer crashes,” said Michael K. Daly, CTO of Raytheon’s cyber-security business. “Showing the threat to brand and reputation – and ultimately shareholder value – has taken time. The Global Megatrends Survey showed that only 22 percent of respondents have briefed the board on the organization’s cyber-security strategy in the past 12 months and only 21 percent of say the board actually requested a briefing. In fact, one of the driving factors behind Raytheon’s desire to do this study was to elevate the information security point of view into the C-suite.”

One of the best ways to communicate with the boardroom is by reporting simple metrics that matter to the business, said Daly.

“Telling a board how many times a firewall blocked an attack doesn’t mean anything – they are left to wonder if it is good or bad that we are seeing attacks,” he said. “At Raytheon we report one number, dwell-time – the amount of time an attacker is able to use a computer before being stopped. Our goal is to keep that number as close to zero as possible by preventing their ability to communicate, move or do harm. For our board members, the trending of that one number allows them to determine the company’s exposure to risk and whether the right investments are being made, whether it is in analytics, talent, employee training, or new tools.”

Less than half of the respondents believe their organizations take appropriate steps to comply with leading cyber-security standards, and just 47 percent said their organizations have sufficient resources to meet cyber-security requirements.

Still, the majority of respondents believe their cyber-security postures will improve due to the following reasons: cyber intelligence will become more timely and actionable, more funding will be made available to invest in people and technologies, technologies will become more effective in detecting and responding to cyber threats, more staffing will be available to deal with the increasing frequency of attacks and employee-related risks will decline.

“High-profile cyber-security breaches are closing the gap between CISOs and CEOs by forcing meaningful security discussions into corner offices and boardrooms,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a statement. “In the meantime, our study found there is still a large delta between resources and needs, as security leaders lack both funding and manpower to adequately protect assets and infrastructure.”

Tags:

• NEWS & INDUSTRY
• Security Infrastructure

Security vendor Fortinet released a survey that shows homeowners want to embrace the Internet of Things (IoT), but are worried about privacy and security.

In a survey of 1,801 homeowners, Fortinet found that 61 percent of U.S. respondents believe the connected house – a home where appliances and home electronics are seamlessly connected to the Internet – is “extremely likely” to become a reality during the next five years. Eighty-four percent of homeowners in China felt that way.

But the excitement over the prospect is tempered by security concerns. A majority of respondents (69 percent) globally said they were extremely or somewhat concerned a connected appliance could result in data breach of sensitive information. Among U.S. homeowners, the figure was 68 percent. When asked how they would feel if a connected device in their home was secretly or anonymously collecting information about them and sharing it with third-parties, 62 percent said they would feel “completely violated and extremely angry to the point where I would take action.” The strongest responses came from South Africa, Malaysia and the U.S., with the U.S. coming in at 67 percent.

Fifty-seven percent of respondents in the U.S. also agreed with the statement that “privacy is important to me, and I do not trust how this type of data may be used.”

“The Internet of Things promises many benefits to end-users, but also presents grave security and data privacy challenges,” said John Maddison, vice president of marketing at Fortinet , in a statement. “Crossing these hurdles will require clever application of various security technologies, including remote connection authentication, virtual private networks between end-users and their connected homes, malware and botnet protection, and application security − applied on premises, in the cloud and as an integrated solution by device manufacturers.”

Many of respondents said they felt they should have access to any data collected by a connected home appliance. Sixty-six percent said that only themselves or others whom they have given permission should have access to this information. In the U.S., the number was 70 percent, with about a quarter also stating they thought the device manufacturer or their Internet Service Provider (ISP) should have access to the collected data as well.

Forty-two percent said the government should regulate collected data, while 11 percent said regulation should be enforced by an independent, non-governmental organization. In the United States, only 34 percent of respondents felt the government should regulate collected data.

Still, the respondents felt the device manufacturers should be primarily responsible for securing the device if a vulnerability is found. Forty-eight percent of all those surveyed agreed that the manufacturer is responsible for updating and patching their technology. However, almost 31 percent responded that it was the responsibility of the homeowner to keep the device up to date.  

“The battle for the Internet of Things has just begun,” Maddison said. “According to industry research firm IDC, the IoT market is expected to hit $ 7.1 trillion by 2020. The ultimate winners of the IoT connected home will come down to those vendors who can provide a balance of security and privacy vis-à-vis price and functionality.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

Survey Shows IT Security Pros Aren’t Getting the Business Expertise Skills They Need at Their Current Companies…

With information security initiatives becoming more prominent in organizations, now is a good time to be an IT professional. However, organizations who don’t invest in their personnel run the risk of their experts moving elsewhere.

IT professionals are noticing a significant change in how they are regarded within their organizations, according to the latest research report from Wisegate, a private practitioner-based IT research services group. Instead of being treated as a nuisance or necessary evil, IT is increasingly being integrated into and respected by the business, according to the respondents—senior IT practitioners across a variety of industry sectors—who participated in the Wisegate survey.

But there is a gap somewhere, as many of the 362 IT professionals surveyed were looking for opportunities outside their organizations. Almost half of the respondents felt their organizations did not offer the opportunities they needed to advance in their careers. Two-thirds of the respondents said they expected to move on to another organization within the next two years. Respondents weren’t just anticipating events beyond their control, as nearly half said they wanted to move within the year.

“The fact that two-thirds of the IT employees are waiting to walk out the door is a far bigger risk [for organizations] than the next cyber-attack or a data breach,” Sara Gates, founder and CEO of Wisegate, told SecurityWeek.

A Good Work Environment

Security practitioners aren’t looking elsewhere because their organizations were ignoring their concerns or downplaying the importance of security. In fact, 72 percent of Wisegate respondents said their organizations took IT “very seriously” or “somewhat seriously,” according to the report. What was even more significant was the fact nobody reported “not at all seriously” to this question, the report’s authors noted.

“This makes particular sense considering the shadow recent high-profile IT security incidents have cast, as well as the growing importance of mobile, apps and cloud as key business decisions that rely on IT to be successful,” the authors wrote.

A little under two-thirds of the respondents said processes at their organizations were “somewhat flexible” or “somewhat rigid,” according to the report. This means the IT processes aren’t treated trivially, nor are they “cast in stone and impossible to change” when necessary. This kind of environment “is actually ideal for IT professionals as they work to ensure stability and order at their places of work, even as technologies and new risks require them to frequently adapt,” the authors concluded.

“Business perception of IT security is at an all-time high, making security professionals more valuable on the market,” Gates said.

Soft Skills Wanted

IT professionals are discovering their place in the business, their ability to affect the business, and their career options are changing. However, only 34 percent felt there were opportunities to advance in their current organizations, and 47 percent felt they would have to “leave my current company in order to move up the ladder,” according to the report. And lest anyone accuse these professionals of chasing a bigger paycheck, respondents to the Wisegate survey ranked “more money” sixth out of a list of eight reasons to move.

Instead, the Wisegate participants were interested in having more opportunities to learn, facing challenging work opportunities, and receiving positive feedback from the business side of the organization. IT professionals recognize they have to develop the soft skills necessary to work effectively with their non-IT counterparts.

Organizations interested in retaining their security staff need to look at the talent pool in a smarter way, Gates said. Developing technical skills, while important, is no longer enough. Programs focusing on soft skills such as effective communication, presentations, and negotiation are important. Organizations also need to open up internal opportunities to grow and advance. These security practitioners were “very focused on the [soft] skills they need; they are self-aware,” she said.

There is no need for the “lens of fear,” or worrying that investments would be wasted because the practitioners are going to leave anyway, Gates suggested. Since investments accumulate, organizations can spread out initiatives over a five-year program. One or two changes each year will be more effective than trying to throw together a lot of programs with varying levels of effectiveness. “It’s time to ask, ‘What’s the one thing you need to grow in your career?’ We need to build relationships,” Gates said.

The report was very clear: IT security professionals aren’t getting the business expertise skills they need at their current companies and positions, and are therefore looking elsewhere. IT professionals are in the position to gain and exert influence within their companies, and the way to stop the security exodus is to provide those opportunities internally.

“As their ability to interact grows, this can only be good for the business,” the report concluded.

The full report is available online (PDF) from Wisegate.

Tags:

• NEWS & INDUSTRY
• Email Security