Blog : BOARD TALK
|Posted on November 13, 2015 at 2:10 PM|
EY's timing of its 18th Global Information Security Survey (GISS) - just out - turns out to be excellent.
It reminds us - as the headlines every day demonstrate - that the most likely sources of cyber attacks come from criminal syndicates (59%), hacktivists (54%) and state-sponsored groups (35%). But it also points to a staggering absence of strategic agility and responsibility on the part of business.
When it comes to IT security budgets, 69% of those surveyed say that their budgets should be increased by as much as 50% "in order to align their organisation’s need for protection with managements’ tolerance of risk."
The survey, which involved 1,755 organisations from 67 countries, finds that 88% do not believe their information security structure fully meets their needs.
Here are some jaw-dropping statistics:
► 54% say they lack a dedicated function that focuses on emerging technology and its impact
► 47% do not have a security operations center
► 36% do not have a threat intelligence programme, while 18% do not have an identity and access management programme
And of course, what is being blamed? Why, a 'lack of talent', of course.
More than half (57%) said that the contribution and value that the 'information security function' provides to their organisation "is compromised by the lack of skilled talent available." This compares with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving, says EY.
But what about those people sitting in the boardroom? Clearly if there are all these people around increasing the threat to cybersecurity, and assuming they are not aliens from another plant....there is talent available to counter the threat.
Boardrooms have to start by not seeing IT as a function, move swiftly on to not seeing it as someone elses's problem - and find a way to tap into younger, savvy talent without considering it a threat to 'tradition': ways in which things have been done until now.
“Cybersecurity is inherently a defensive capability, but organisations should not wait to become victims. Instead, they should take an ‘active defense’ stance, with advanced security operations centers that identify potential attackers and analyze, assess and neutralize threats before damage can occur. It is imperative that organisations consider cybersecurity as an enabler to build and keep customers’ trust" says Paul van Kessel, Global Risk Leader, EY.
Ah yes, 'trust.' That thing that shareholders have in the businesses in which they invest - assuming that they anticipate risk, as well as responding to it on a daily basis.
A lack of expenditure on innovation in technology is surely an enormous failing, made even bigger, one suspects, if one were to examine the marketing and advertising component of the budgets of those same businesses surveyed. That's not about 'trust', it's about (short-term) profit.