RedSeal, a company operating across the cyber security analytics market, has released the results of a CEO study, which surveyed perceptions of – and confidence in – their cyber security posture.
The study, based on a survey of 200 chief executive officers from organisations across a host of major industries, including technology, finance, manufacturing, government and retail, found that more than 80 percent of CEOs are very confident in their firm’s cyber security strategies, despite the fact that security incidents have surged 66% year-over-year since 2009 according to PricewaterhouseCoopers’ 2017 Global State of Information Security Survey.
“CEOs are underestimating their companies’ cyber vulnerabilities,” said Ray Rothrock, chairman and CEO of RedSeal. “Their confidence does not square with what we observe. Cyber-attacks are up and financial losses associated with these attacks are increasing dramatically.” This is a particularly acute problem in the Middle East, where according to PricewaterhouseCoopers’ 2016 report on cybersecurity in the Middle East, companies in the Middle East suffered larger financial losses than their global counterparts as a result of cyber-attacks with 50% reporting losses greater than US$500,000 as opposed to 33% globally.
Cyber confidence based on out-of-date strategies
While CEOs remain confident that their cyber strategies are well equipped to handle the risks facing their company networks, there is a disconnect between their perception and reality. The RedSeal study found that half of the CEOs still prioritise keeping hackers out of the network, versus just 24 percent who were concerned with building capabilities to deal with hackers who have successfully breached their network’s perimeter defences.
“The new cyber battleground is inside the network, not at the perimeter,” said Rothrock. “Firewalls, virus detectors, and malware scans are required to keep out 99% of the bad guys, but the one percent who get in can cripple a firm, critical infrastructure or a government agency.”
CEOs struggle to assess their massive – and growing – cyber security investments
The study found that, while 87% of CEOs agree that they need a better way to measure the effectiveness of their cybersecurity investments, 84% still plan to increase their spending in the next year. A trend reiterated by IDC’s Oct. 2016 prediction that organisations will spend $101.6 billion on cybersecurity software, services, and hardware in 2020, a 38% increase from its 2016 spend projections.
“We’ve reached an inflection point where cyber security strategies and investments have underperformed for an extended period of time. Analysts estimate that cyber losses are now growing more than twice as fast as the spend on security,” continued Rothrock. “To stem this tide, CEOs and boards need more effective metrics to understand the real-time health and function of their network, and to more clearly manage and measure their cyber strategies and investments.”
Even though security budgets are at an unprecedented high, nearly three out of four CEOs report the metrics they receive lack meaning or context. Most (79%) agree their reports are too difficult to understand, and 87% need a better way to measure whether cybersecurity investments are effective. In addition, they cite a lack of timeliness (51%) as well as only receiving reports in times of crisis (50%) as significant challenges.
Nearly 90% of CEOs say they want information – on a daily basis – about their cyber security posture and network’s overall health, external threat level, and the resilience of the network.
And while 79% of CEOs surveyed strongly agree that cyber security is a strategic function that starts with executive leadership versus being a responsibility passed on to the IT team, 89% of these same CEOs report reliance on their IT team to make the budget decisions on cybersecurity.
“CEOs project a great level of confidence when asked about their cyber security strategies, however their perceptions aren’t in line with reality,” said James Kaplan, partner at McKinsey & Company and co-author of Beyond Cybersecurity: Protecting Your Digital Business. “For years, the IT security industry has operated with the understanding that every organisation will suffer a security incident. Given this inevitability, CEOs should be much more focused on building resilience into their businesses so they can maintain operations when the breach occurs.”