by Divina Paredes

More CEOs taking a hands-on approach to information security

Oct 07, 2015
Business ContinuityCareersCompliance

No caption

Cyberattacks have become the new normal in today’s digitally connected world.

Existing information security methods have proved ineffective, and many organisations are rethinking their cybersecurity strategies and practices, according to the 2016 Global Information Security Survey.

CIO, CSO and PwCinterviewed more than 10,000 respondents across the globe, including 102 business and technology executives from New Zealand, for the 2016 report.

The report finds organisations are implementing a range of technologies such as cloud-enabled security, data analytics, and advanced authentication.

Organisations are also getting into risk-based frameworks, external collaboration, and purchasing cybersecurity insurance.

Despite significant technological advances, cybersecurity is ultimately a people business, according to the summary of findings released this week by PwC.

The report notes how the roles of key personnel – the CISO or CSO, CEO, and board – are evolving as cyber risks become increasingly prominent.

To be truly effective, the top security executive should report to the C-suite or board, the report states.

Increasingly, CEOs are taking a hands-on approach to information security, according to survey respondents.

Many respondents said their CEO understands that cybersecurity is a top business risk, and promotes cybersecurity as a corporate governance imperative.

A number of respondents also said their CEO understands the costs and benefits of the cybersecurity program and information security technologies, but fewer are aware of the legal implications of information security risks.

Organisations should recognise that good cybersecurity is good business – and can ultimately help improve organisational and financial performance.

Board engagement and the impact of board involvement also increased over last year.

Respondents said the board is most likely to participate in overall security strategy, security budgeting, security policies, and security technologies.

Among survey respondents, the most frequently cited reporting structure is the CEO, CIO, board, CTO, CPO, and CFO. In New Zealand, the top three reporting structure are to the CEO (31 per cent of respondents); CIO (19 per cent) and board (16 per cent).

Many respondents said that their CISO/CSO approaches information security as an enterprise risk-management issue, communicates security risks directly to executive leaders, understands the organisation’s business issues, and collaborates with internal stakeholders.

Fewer respondents said their CISO/CSO has the authority necessary to lead the information security program, and the CISO/CSO is typically not seen as a business leader by executive officers.

Linking information security to competitive advantage

This year’s report highlights how advanced and enhanced information security practices will not only enable companies to better defend against cyberthreats, but can also help create competitive advantages and foster trust among customers and business partners.

“Organisations should recognise that good cybersecurity is good business – and can ultimately help improve organisational and financial performance,” states the report summary.

Businesses, meanwhile, are taking on new strategies to take advantage of emerging platforms and opportunities.

These include the Internet of Things, mobile payment systems, and the use of DevOps and open-source software.

Advances in computer science and technologies are providing a transformational opportunity for organisations to revise their cybersecurity strategies.

Indeed, companies that embrace new approaches to cybersecurity can rethink legacy technologies and processes, as well as achieve competitive advantages through operational and cost efficiencies, the report states.

Despite significant technological advances, cybersecurity is ultimately a people business.

No caption

Most organisations have adopted a risk-based cybersecurity framework, which lays the foundation for an effective security program.

The report finds the two most frequently implemented frameworks are ISO 27001 and the NIST Cybersecurity Framework.

As a result of implementing these frameworks, organisations are better able to identify and prioritise security risks, and more quickly detect and mitigate incidents, it states.

The report finds 69 per cent of respondents use cloud-based security services to help ensure data security and privacy. Services used include real-time monitoring/analytics, advanced authentication identity and access management, and threat intelligence.

Most respondents use some form of advanced authentication, such as software tokens, hardware tokens, cryptographic keys and biometrics.

Almost half of respondents employ big data analytics to help model for and detect cybersecurity threats.

Over the past three years the number of organisations that embrace external collaboration to improve security awareness and response tactics has steadily increased. This year, 65 per cent of respondents said they embarked on these types of collaboration.

They said the benefits of this collaboration include sharing and receiving more actionable information from industry peers and Information Sharing and Analysis Centers (ISACs), improved threat intelligence, and more timely threat intelligence alerts.

This year, 59 per cent of respondents said their organisation has purchased cybersecurity insurance to help mitigate the financial costs of incidents.

The most common types of incident-related losses include protected personally identifiable information, payment card data, intellectual and property/trade secrets, and damage to brand reputation.

More than a third (36 per cent) of respondents said their organisation has a security strategy for the Internet of Things. An additional 30 per cent said they are implementing a security strategy as IoT-related incidents increased over the last year.

More than half (57 per cent) of survey respondents said their organisation accepts mobile payment services.

Also, more organisations are taking steps to help secure the mobile payments ecosystem.

Respondents said they are addressing risks related to malware and malicious apps, addressing threats related to hardware and device platforms, and implementing tokenisation and encryption.

Some organisations are embracing DevOps to advance their cybersecurity practices. This agile approach is particularly beneficial for companies that have thousands of active applications, as well as those that deploy code updates very frequently.

The report notes organisations that employ DevOps often do so using inexpensive open source software, a move toward IT models pioneered by companies like Facebook and Netflix.

Read more on the New Zealand results of the 2016 Global Information Security Survey.

Send news tips and comments to

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.