How do organisations take a ‘security first’ position?
IT veteran Jo Stewart-Rattray tackled this most foundational of business practices in her keynote on the first day of ITWeb’s Security Summit on Tuesday.
Speaking from Australia – where she is currently seconded as CISO to the Silver Chain healthcare organisation – she says it’s important for CISOs to cultivate relationships with people from across the business, and look at everything that security touches, such as the people, processes, technology, and even the culture in the firm.
“It’s really hard to craft a security strategy if there’s no overall business strategy. The two must go hand in hand, because security is actually a business concern,” she says.
Stewart-Rattray says the biggest growth areas for all attacks – 15% – are related to social engineering. But there has been a sea change in the threat actors themselves. Cyber criminals are responsible for about 22% of attacks, while malicious insiders are at 11%, and non-malicious insiders at 10%. She says in the recent past, insider attacks made up 80% of all breaches.
Outlining the challenges that organisations face every day, Stewart-Rattray says it’s important that the security professional is ‘heard’ within the firm, particularly at the right level.
Being a woman also brings its challenges, says Stewart-Rattray.
“I know you might think that’s a bit strange – we are living in 2020 – but there are biases to be overcome by being a woman at the top of the security organisation. You’d be surprised at the number of people who actually think of me as not being able to cut the technical mustard.”
It’s also vital to obtain strategic buy-in from fellow executives; the board may know it needs to be concerned about security, but isn’t cyber-aware itself. This can be tackled by framing security in business terms.
Budget and resource constraints are also factors that need to be highlighted, says Stewart-Rattray, as well as an over-reliance ‘on putting a sticking plaster on an issue’ – often with another piece of technology – where, in fact, the security problem may not be technology-related.
CISOs also need to take ownership and be accountable for implementing, monitoring, and reporting on security.
Quoting from this year’s ISACA report on the State of Cybersecurity, Stewart-Rattray says that 20% of respondents did not know whether their organisation had more or fewer attacks than in the previous year.
The move from on-prem systems to cloud services is also giving boards pause for thought.
“They’re seeing their traditional CAPEX being eroded and it’s moving to an operational spend.
“A recent computer economic benchmarking white paper showed that 78% of organisations globally are increasing their security spend, given the increasing cyber risks in particular industry sectors, such as healthcare.”
She quotes Gartner as saying that the average security spend should be around 4% to 7% of total IT spend, but that many CISOs are ‘fighting to get that 4%, let alone the 7%.”
She says in organisations with immature security postures, it’s advised that 10% of IT spend is devoted to security.
It’s also important to have an actual CISO, and the job shouldn’t be relegated to just another task that the CIO has to take care of.
Gartner recommends that the security budget be under control of the CISO, but in some companies, the CIO holds the purse strings. And, in firms where security teams report to a CISO, there is greater confidence in their ability to detect and respond to threats, as opposed to those who report to the CIO.
“Accountability is delegated from the board to the CISO, but in reality, I believe that every individual in an organisation plays some role in being responsible for security,” she says.
Staffing levels also correlate to a successful security strategy, or is at least a factor in staff members’ perceptions about a company’s readiness to fend off attacks.
She says that in the ISACA survey, 21% of organisations that were significantly understaffed said they ‘might’ be able to handle an attack, while more than half of respondents in companies that were appropriately staffed were completely confident about dealing with threats and attacks.
In organisations where the confidence and staff levels are low, this equated to a higher level of attacks.