New research* released today has revealed that CEOs are over confident when it comes to their cybersecurity approach, and are potentially leaving themselves at risk of attack due to outdated and unrealistic strategies. RedSeal, the cybersecurity analytics company, today released the results of a global CEO study. The results – based on the insights of Chief Executive Officers (CEOs) of 200 global companies- have demonstrated what RedSeal is calling “CEO Cyber-Naivety”, where more than 80 percent of CEOs were very confident in their firm’s cybersecurity strategies, despite the fact that security incidents have surged 66 percent year-on-year since 2009**.
“CEOs may be underestimating their companies’ cyber vulnerabilities,” said Ray Rothrock, chairman and CEO of RedSeal. “Their confidence does not match with what we know and the threat landscape we are witness to every day. Cyber-attacks are up and financial losses associated with these attacks are increasing exponentially.” Financial losses from cyber-attacks are projected to jump from over £400 billion in 2014 to almost £2 trillion in 2018, according to PricewaterhouseCoopers’ 2015 Global State of Information Security Survey.
Cyber Confidence Based on Out-of-Date Strategies
While CEOs remain confident that their cyber strategies are well equipped to handle the risks facing their company networks, there is a clear disconnect between their perception and reality. Over half of CEOs surveyed (58%) now discuss their cybersecurity strategies on a daily basis at board level. But it seems that often these conversations aren’t always leading to the best course of action or protection.
The Cyber Security Breaches Survey released recently by the UK government found that while one in four large firms experiencing a breach did so at least once a month, only half of all firms have taken any recommended actions to identify and address vulnerabilities. Even fewer, about a third of all firms, had formal written cyber security policies and only 10% had an incident management plan in place.
British businesses are being urged by the UK government to become more resilient to cyberattacks and are being asked to review their current approach. This follows stats showing that two thirds of large UK businesses have been hit by cyber breach or attack in past year.
Minister for the Digital Economy Ed Vaizey said: “The UK is a world-leading digital economy and this Government has made cyber security a top priority. Too many firms are losing money, data and consumer confidence with the vast number of cyberattacks. It’s absolutely crucial businesses are secure and can protect data. As a minimum companies should take action by adopting the Cyber Essentials scheme which will help them protect themselves.”
So where do the priorities lie for CEOs?
The RedSeal study found that half of the CEOs still prioritise keeping hackers out of the network, versus just 24 percent who were concerned with building capabilities to deal with hackers who have successfully breached their network’s perimeter defenses – the more likely scenario in today’s threat landscape
“The new cyber battleground is inside the network, not at the perimeter,” said Rothrock. “Firewalls, virus detectors, and malware scans keep out 99 percent of the bad guys, but the one percent who get can cripple a business and their critical infrastructure.”
CEOs Struggle to Assess Their Massive – and Growing – Cybersecurity Investments
The study found that, while 87 percent of CEOs agree that they need a better way to measure the effectiveness of their cybersecurity investments, 84 percent still plan to increase their spending in the next year. A trend reiterated by IDC’s Oct. 2016 prediction that organisations will spend almost £1billion on cybersecurity software, services, and hardware in 2020, a 38 percent increase from its 2016 spend projections.
“We’ve reached an inflection point where cyber security strategies and investments have underperformed for an extended period of time. Analysts estimate that cyber losses are now growing more than twice as fast as the spend on security,” said Ray Rothrock, chairman and CEO of RedSeal. “To stem this tide, CEOs need more effective metrics to understand the real-time health and function of their network, and to more clearly manage and measure their cyber strategies and investments.”
How do CEOs Measure Effectiveness of Cyber Strategies?
Even though security budgets are at an unprecedented high, nearly three out of four CEOs report the metrics they receive lack meaning or context. Most (79 percent) agree their reports are too difficult to understand, and 87 percent need a better way to measure whether cybersecurity investments are effective. In addition, they cite a lack of timeliness (51 percent) as well as only receiving reports in times of crisis (50 percent) as significant challenges.
Nearly 90 percent of CEOs say they want information — on a daily basis — about their cybersecurity posture and network’s overall health, external threat level, and the resilience of the network.
And while 79 percent of CEOs surveyed strongly agree that cybersecurity is a strategic function that starts with executive leadership versus being a responsibility passed on to the IT team, 89 percent of these same CEOs report reliance on their IT team to make the budget decisions on cybersecurity.
“CEOs project a great level of confidence when asked about their cybersecurity strategies, however their perceptions aren’t in line with reality,” said James Kaplan, partner at McKinsey & Company and co-author of Beyond Cybersecurity: Protecting Your Digital Business. “For years, the IT security industry has operated with the understanding that every organisation will suffer a security incident. Given this inevitability, CEOs should be much more focused on building resilience into their networks so they can maintain business operations when the breach occurs.”