The received wisdom is that European IT security professionals are under overbearing pressure from adversaries when it comes to cybersecurity. Yet a new, in-depth, independent study commissioned for Palo Alto Networks into current attitudes reveals a profession that is more determined and confident than might be expected.
The real tensions in their working life are the difficult conversations IT security managers must have with their senior management bosses on the fallout from attacks. Also highlighted in the report is a need to ramp up systems and processes for the comprehensive breach reporting required in the European Union General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive.
Furthermore, years of cyberattacks have not left IT security professionals reeling; instead they are more experienced and determined to prevent attacks. When asked about the impact of a cyber incident on them, the majority (60 percent) said it provided them with an opportunity to learn from the experience and bounce back stronger; only nine percent said that it would lead to their job termination. Taking a strong preventative posture is the overwhelming strategy with, on average, 65 percent of the IT security budget allocated to it across Europe.
Where IT security professionals are less sure is with their relationships with senior management:
- Senior Managers Confused on Security: After a security breach, nearly a third (32 percent) of IT security professionals report their senior managers expressed confusion about why it had happened at all with nearly 1 in 5 respondents saying senior management blamed the team and 1 in 10 blamed them personally.
- Security Is an Awkward Conversation: Half of IT security professionals (51 percent) find it difficult to highlight possible security system weaknesses for senior management, while the rest (49 percent) find it more difficult to admit something has gone wrong and a breach has occurred. The most awkward conversation is when human failure is a factor (28 percent) ahead of a supplier being to blame (23 percent), and the need for more investment to mitigate future risk (21 percent).
- Involving Senior Managers Backfires: A third of IT professionals regard involving senior management as making matters more difficult. Notably the third most common reason for not reporting an incident was the person who caused it was part of the senior management team.
- EU Legislation to Increase Internal, Managerial Tensions: About half of IT professionals (47 percent) anticipate awkward conversations with senior management about these new breach notification requirements. Although a majority (63 percent) are positive about the legislation’s impact, respondents are concerned it will add unnecessary costs and complications and cause operational strains (56 percent). With the most common reason for not reporting a breach today being that it was too minor – 30 percent of cases – or the IT professional was too busy (27 percent), there are clearly still major challenges to overcome.
“The tensions and gaps in understanding illustrated by this study are apparent. As I talk to companies across EMEA, I spend a lot of time helping them determine how IT security professionals and the rest of the senior management team can get closer on cybersecurity issues that are so serious and strategic. Technology can help in simplifying the processes involved, preventing and automating effective responses to incidents. But it’s clear that there needs to be more open dialogue within the senior management team to execute and continually improve on cyberattack prevention strategies,” said Greg Day, vice president and regional chief security officer, EMEA, Palo Alto Networks.
Find a Common Language: Many senior leaders struggle to comprehend cyber risk. Help make it visceral and relevant by defining some clear business metrics for cybersecurity:
- Within your prevention strategy, involve senior leaders in a readiness exercise to test cybersecurity processes so they can understand and are engaged in the issues and risks.
- Emphasize how new regulations, like the GDPR and NIS Directive, raise the bar on corporate responsibility. The need for state-of-the-art cybersecurity has never been greater, but remind the leadership team it is an ongoing, evolutionary journey with no nirvana.
Incidents do happen, so be prepared to respond. However, many can be avoided through focusing on the right key principles, leveraging automation, introducing better education and having a preventative focus.
