A shift is occurring in the way industry and government deal with cybersecurity: Those in leadership positions are phasing out reactive strategies built to meet compliance standards in favor of proactive strategies constructed to exceed them.
This is according to a study released Tuesday by Southern Methodist University’s Darwin Deason Institute for Cybersecurity, which surveyed executives from across the public and private sectors. The 40 execs — predominantly chief information security officers — were asked about the scope of their cybersecurity programs and the issues they encounter implementing new policies. Based on the results of the short interviews, researchers concluded that — although issues remain — on the whole cybersecurity efforts have progressed substantially in recent years.
“The cyberspace landscape has changed rapidly over the past few years. Cyber risk is real and is a board level concern,” said Fred Chang, director of the Deason Institute in SMU’s Bobby B. Lyle School of Engineering, in an email. “Enterprises must plan for a wide range of business risks today: fires, floods, hurricanes, etc. They now must think of cyber in the same way — it is a substantial business risk that must be prioritized and managed.”
Executives were surveyed on a number of criteria, ranging from “macro” questions, like “What are your primary concerns from a cybersecurity standpoint?” and “Do you feel like you have adequate information in managing overall cyber risk and prioritizing accordingly?” to “micro” questions, like “How do you evaluate security investments after they are made?” and “Can you talk about one or two of your most recent large cybersecurity projects?” The Darwin Deason team stratified responses into categories and assessed each of them across all participants.
Across the board, results were promising.
About 81 percent of respondents indicated that upper-management is supportive of their cybersecurity goals, while 85 percent said the level of support has been on the rise, according to the study. No one indicated that cybersecurity support is decreasing. One respondent — a CISO — identified a “hunger for security in the company” and said that “senior management has gotten religious about how important security is.” Eighty-eight percent of participants responded that their cybersecurity budgets had increased.
A major driver in this trend seems to be a broad shift from a mindset of adhering to compliance rules to one of exceeding them.
“I try, in everything that I communicate about why we’re investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around ‘What’s the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine,’” one CISO reported. “I don’t really talk about the security program from a compliance standpoint very often.”
Another marker of advancement is the adoption of frameworks — some standardized, like the National Institute of Standards and Technology, and the International Organization for Standardization, and some tailored to each institution. By establishing a set approach to cybersecurity, CISOs are better able to communicate their needs to other organizational branches.
“Frameworks … are at the center of defining risk perception and investment,” the report states. “CISOs … value frameworks as a powerful way to make clear to senior decision makers the business risk they face due to cyber events; this understanding of the potential business impacts enabled the CISOs to effectively present the case for projects, and allowed them to report progress.”
The challenge that confronted most every executive interviewed was procuring and maintaining a talented workforce -— particularly for government CISOs who are not equipped to offer corporate salaries. One CISO reported finding qualified candidates only to have them stolen away by a competitor offering $30,000 more for the position.
The “dominant theme that arose from the study was the lack of qualified personnel — the so called skills gap,” Chang said. “Whatever best practices that are being implemented by firms must be carried out by qualified personnel — and finding those qualified people will be a challenge now and into the future.”
One remedy to these traditional problems, according to the report, is creativity.
“[E]ffective security officers get creative in order to get their jobs done,” the report states, going on to discuss the case of a CISO who repurposed legacy systems to run elements of security programming, and another who actually hacked vulnerabilities in his system at board meetings to demonstrate the need for security investment.
“Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it,” said one CISO, “rather than ‘I want to get these things because it’s the next cool security thing that’s out there’.”
Asked about the differences in government and industry responses, Chang said “Government can learn from industry and industry can learn from government. One of the encouraging findings from our study was that there is a good bit of information sharing already going on – in a variety of venues. The respondents understand that the better they understand the threat, the better prepared they will be to defend against it.”