CISOs believe CEOs are breaking security rules: Symantec
Nearly three-quarters, or 74 percent, of chief information security officers (CISO) in Australia believe their CEO has broken internal security protocols, either intentionally or unintentionally, a report from Symantec has found.
Covering 1,100 CISOs across 11 global markets, the Symantec CISO Survey revealed that CISOs in Australia are also concerned about growing threats to enterprise data in the cloud and their ability to respond quickly to attacks, with 86 percent of those surveyed indicating that ensuring cloud applications adhere to compliance regulations is one of the most stressful aspects of their job.
Respondents said on average, 29 percent of the cloud-based applications used at their companies are unsanctioned -- or "shadow apps" -- with Australian CISOs kept up at night having to ensure cloud apps meet compliance and regulation.
"Security is constantly between a pendulum of being compliance oriented, policy, protocol, governance, or being something protection oriented regarding brand, information, operations," said Samir Kapuria, SVP and GM of Cyber Security Services at Symantec.
"What's interesting about this is the fact that most CISOs were focused on the compliance side of it is pretty indicative of the fact that they don't feel there's enough governance and structure in cloud environments."
Speaking with journalists in Sydney, Kapuria said the concept of rogue IT has been born out of how simple it is to sign up for cloud services.
"Business units within a company don't necessarily go through the IT department before they sign up for something ... next thing you know they have access to some cloud application that they are using for business efficiency or effectiveness to get their job done," he explained, noting this leads to CISOs being unaware of what apps they need to protect.
He also said for many organisations, cloud has got ahead of them, and now they are playing catch-up against the cloud environment, noting that gap is what cyber criminals are really leveraging against.
While most CIOs believe they are running 30 cloud applications that were sanctioned by the organisation, Kapuria pointed to an example where an organisation discovered over 900 cloud applications had been deployed with almost all unknown to the CISO.
Also of high concern to the CISOs surveyed on cloud security was the threat of data loss, with 34 percent worried about data loss stemming from internal sources.
"The board and the CEO don't necessarily understand the damage that a cyber attack could have in an organisation, but as they're seeing more and more victims and the catastrophic affect it has had on a business's reputation, the more we find they're starting to quickly learn," Kapuria said.
If a CEO is championing cyber resilience within an organisation, they need to practice what they preach, according to Kapuria.
"The overwhelming focus Australian CISOs had on data shows the dependency they have on digital form factors around their businesses. It also is a good highlight that the key currency that's being measured for many organisation's assets are in digital form," he added.
"Most CISOs are now focused on educating their boards and giving them awareness around the cyber risks and the risk tolerance of the organisation ... and the impact it will have on things such as revenue stream.
Kapuria said that cybersecurity is the only industry that has an active adversary changing the risk profile of an organisation every day, unlike other industries that can measure risk at least to some degree.
"In cyber, tomorrow something could come up like WannaCry that just changes the whole risk profile," he explained.
Looking ahead to the second half of 2017, Symantec's report states that CISOs possess a growing concern over the threat of external account hijacking, while 30 percent of CISOs flagged a data breach as their highest concern.
In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February that will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.
The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".
Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.
Even though the laws excuse companies with a turnover under AU$3 million, Kapuria believes awareness, compliance, and breach disclosure will have a trickle-down effect into small organisations that deal with larger organisations bound by the laws.