2. Gain board-level buy-in
Board-level involvement is critical to the long-term success of any enterprise IT security programme, but the survey findings show that respondents believe their board members aren't giving security the attention it deserves, and that they don't fully comprehend the cyber risks that are facing their organisations.
The root of this problem is the "disconnect between the IT guy and the business guy", according to Bussiere. "There is an existing communication barrier between the two because the IT guy tends to speak in technical terms, while the business guy tends to speak in business terms. Often-times, the IT guy knows that there is a massive amount of risk involved, but he is unable to articulate it clearly in a way that makes sense to the business guy."
As such, CISOs and their security teams must learn to speak the language of business and construct reports that bridge the technical knowledge gap so they can clearly communicate the overall security status of their organisation. Without buy-in at the highest levels of an organisation, progress will be hard to achieve.
3. Deploy passive scanning to close security gaps
According to Bussiere, more than half (54 percent) of organisations surveyed in 2014 performed vulnerability assessments once a quarter or less. Yet, there was an average of 152 vulnerabilities disclosed every single week last year. Additionally, over 90 percent of exploits are using vulnerabilities that are a year or more old.
"These statistics show that people are not making enough effort to reduce vulnerabilities despite its increment and the expansion of threat surface," said Bussiere. "Organisations need to invest more money to conduct proactive security rather than real-time or reactive security. If you are not mitigating actively - discovering things and trying to fix them - the risk of being compromised goes up."
He added that CISOs have to always "be paranoid" and work with the assumption that they are going to be breached so that they will be more conscious of detecting and preventing breaches.
Organisations that rely on periodic vulnerability assessments alone have an accurate depiction of their network security risks about once per month. By employing passive scanning solutions as part of a continuous network monitoring solution, IT security teams gain full visibility into security risks during the other 353 days of the year.
4. Embrace the cloud
Transitioning applications and IT infrastructure to the cloud yields compelling business advantages, but it also introduces new risks and uncertainties.
"When embracing cloud, make sure that you protect yourself and are equipped with the same "paranoid" mindset - constantly monitor and always assume that you are going to be breached," said Bussiere.
Sign up for CIO Asia eNewsletters.