That lack of unity and communication wouldn't fly with Jay Leek, chief information security officer at New York City-based private equity and asset management firm The Blackstone Group. "I'm a believer in transparency in how we run our security programs to the extent we can be transparent. Not everything's confidential. Our five principles are protect, trusted adviser, transparent, awareness, and measure," says Leek.
"Our job is to protect the firm but, more importantly, I'm a trusted adviser to the business leaders in this firm. That's because they need to make informed risk-based decisions and I need to be there to help advise them to make a better decision at the time when they need to make it. We do this in a very transparent way to drive greater awareness to the firm," he adds.
A big part of those efforts, explains Leek, is helping executives understand the differences among cybercrime, cyber espionage, the insider threat, and hacktivist type organizations so they understand the motives behind each, and why the motive is important. "The new threat that we've seen surface over the past 18 to 24 months concerns destruction, retaliation, and disruption not stealing anything. It's important to understand this because these threats don't have to get in and get out; they just have to get in," he says.
Kenneth Swick, independent security consultant and recent information security officer at Citigroup, says that understanding and level of education are crucial for CEOs and boards, and when poor alignment exists, effective organizational security is a nonstarter. "The desire for a secure environment must flow from the C-Suite to the rest of the organization," says Swick.
In addition to the challenges of aligning proper information risk management with the needs of business leadership, the survey found that enterprises have stalled in their ability to see what attacks are underway within their systems, while too many organizations (25 percent) still don't understand the nature of the impact to their business from these attacks. According to the study, 28 percent of respondents victimized by a cybercrime couldn't determine if it was caused by internal or external attackers.
As might be expected, larger organizations, which presumably have more security resources in people and technology, detect more security breaches. The survey found that large enterprises spotted 31 times more incidents than their smaller counterparts.
How do enterprises and government agencies improve from here? Swick says it's time, finally, for organizations to get going in earnest on the very basics. They need to classify and prioritize their most business-critical assets, and put the tools in place to detect suspicious activity. Once that is complete, move out from the most critical business assets and throughout the organization as budget and resources allow. "This is a challenging area because it will take a lot of resources and potentially re-architecting your network to really do this right. You just can't walk into an environment and make this happen," he says.
Sign up for CIO Asia eNewsletters.