Businesses in the United States are better off when it comes to cyber security budgets, as breach notifications are forcing the management hand.
Speaking to IT Security Guru, Lance Spitzner, certified instructor at the SANS Institute, said that there has been a big change from ten years ago as, in the US, if an organisation gets hacked and records are compromised, they have to go public. “They don’t want to, but have to and in Europe they get hacked all the time, but when it does happen, management look for the biggest carpet in the room and put it under it,” he said.
“In the US, it is very big and very visible and people lose jobs. It is not the case that our security is better in the USA, but there is more discussion and companies are doubling their budgets. It is not the USA being better or worse, it is all going public you see a greater sense of urgency and that is why the CISO goes to a higher level.”
Spitzner said that the skills shortage began a few years ago when two to three per cent of companies were hiring people. Now everyone is making a mad dash for staff, and people need to have certain skills and a certain mindset to be really good as well as be creative, passionate and want to learn.
He said: “It is like crime, you will never solve it and you will always need a police force. It is just now that criminals are winning more in cyber space than in the physical world and in the future, you will look at senior management and not the geeks.”
Spitzner commented that in the United States, there is a fundamental shift where the security manager once reported to the IT guy, the IT person reported to the operations guy and they reported to the CEO and the board so the security guy was three or four layers down. “Now we are starting to see a shift where the security guy reports to the board or to legal, or they are the chief risk officer,” he said. “So essentially IT is becoming less of an IT function, and more of a business function and it is getting higher in the food chain.”
He claimed that boards are having a hard time finding a CISO who can communicate to the business, but the number of press reports on security is changing attitudes in the US and Europe as European instructors are aware of the problem as management doesn’t have the sense of urgency that the US does.