CISOs anxious about possible data breaches, employees not so much
If you are a Chief Information Security Officer, chances are you may not be getting much sleep lately according to a recent survey of IT security executives at companies of 500 or more employees.
The survey, conducted in March 2014 by Courion, revealed that 78 percent of respondents are anxious about the possibility of a breach at their organization.
What’s more, IT security executives are increasingly aware that they are on the front line, maintaining brand equity and protecting customers’ privacy and personal data.
58.8 percent identified “protecting the privacy of our customers” as their primary goal in addressing a significant security breach, and 62.7 percent admitted they most fear “negative publicity affecting the company brand,” should a breach occur within their organization.
“Our recent survey confirmed what we’ve been hearing from many customers over the past few years, the role of the senior IT security executive is constantly changing,” said Christopher Zannetos, president and CEO of Courion. “Not only are they thought of as the front line defense for protecting sensitive company and customer information, they also feel responsible for brand image and customer satisfaction. IT security cannot tackle all this alone, however. We believe, and this survey confirmed, that better employee education and management of user access can provide much needed support for the security team.”
Respondents cited “managing user access” and “communicating or enforcing company policies” among top security priorities in 2014, but also believe other stakeholders may not consider the careful control of user access an important issue.
For example, respondents said that while 95 percent of their IT security team considers preventing security breaches a serious issue, they believe only 45 percent of the employee base feels the same.
Indifference at the employee level, lack of knowledge and malicious acts by trusted insiders can present a challenge for IT security, as evidenced by the 2014 Verizon Data Breach Investigations Report, which included “insider misuse” as one of the nine basic patterns that all breaches can be described by. Within this pattern, “privilege abuse” was the top threat action observed in 88 percent of security incidents.
This is meaningful, since “Account Monitoring and Control”, “Controlled Access Based on the Need to Know” and “Controlled Use of Administrative Privileges” are three of the Top 20 Critical Security Controls recommended by the SANS Institute, one of the largest sources for information security training and security certification in the world.