bas121 -

Business leaders fibbing to cover up lax security posture

Nominet study finds evidence that many businesses tout the robustness of their security posture as a selling point even though their security teams lack confidence in themselves

Over 70% of security professionals say their employers are touting their robust cyber security postures to potential partners and customers even though more than one-third of them are less than confident with their choice of security solution, according to a new study produced for Nominet.

For its latest Cyber confidence report, Nominet analysed 300 senior security practitioners in both the UK and the US and found many of them were being put in potentially compromising positions by their employers.

Asked how confident they were in their organisation’s final choice of security technology, 34% of CISOs said they were only somewhat or slightly confident, and only 17% said their security stacks were completely effective. Also, 68% of those who had faced down a breach in the past 12 months said they had no confidence they would be able to recover from a similar event the next time around.

Stuart Reed, vice-president of cyber security at Nominet, said the study’s findings highlighted the need for CISOs and the wider businesses they are supposed to protect to get on the same page.

“While it is natural that a CISO might be slightly more cautious about claiming the effectiveness of the security solutions in place, more than a third not being even moderately confident in the final choice of a security solution is a worry, particularly when businesses are touting the benefits of their cyber defence,” said Reed.

“This disconnect in cyber confidence should act as an alarm bell to organisations and potentially prompt some investigation and analysis.”

Often, CISOs’ lack of confidence in their security posture could be put down to a lack of testing once systems have been put in place, said Nominet. One-fifth of respondents admitted they either didn’t test the performance of their security stack or didn’t know whether it was being tested.

Nominet said it was also important to consider cyber security investment decisions and how those might contribute to confidence – or lack of – among CISOs. The study showed 76% believed security was an increasing priority for their employers, which naturally leads to the question of where budgets should be spent.

According to Nominet, monitoring (16%), cyber resilience (14%) and governance (12%) were ranked the top three priorities, while others cited strategy and programme transformation, stakeholder awareness, and third-party and supply-chain management.

Read more about security strategy

  • As the National Cyber Security Strategy nears the end of its working life, the government is considering what comes next, and is asking probing questions of its successes and failures.
  • Don’t deploy SD-WAN without a solid network security strategy. IT teams should address four specific areas to ensure adequate security and protection against network threats.
  • When using multiple cloud service providers, it is critical to consider your enterprise’s cloud scope and the specifics of each cloud service to maintain security.

This final area could be a particularly keen area of focus, said Dave Polton, solutions vice-president at Nominet Cyber, who said the channel had a huge opportunity to help CISOs get their mojo back.

“With access to the right technology, measurement tools and experienced consultancy – for example, on how best to manage third parties – partners can be a CISO’s right-hand man in building a robust security infrastructure, which not only inspires confidence but can generate investment in the areas that count,” said Polton. “We believe that giving partners access to training and development that enables them to carve out this position as trusted advisers is a crucial element of broader cyber confidence.”

Gary Foote, CIO at Haas F1, who holds CISO responsibilities as part of his wider remit, said: “Communicating investment priorities and what is needed to keep our infrastructure secure is an increasingly important part of my job. In a technologically driven sport such as Formula 1, being able to show effectiveness of the security stack and potential risks through clear measurement is hugely important.

“We are also highly conscious of the need for strong security across the third parties we engage with and in our supply chain. One of the ways we mitigate against this threat is ensuring we have early and holistic visibility through comprehensive network detection and response.

“For me, cyber confidence is about having the right proof points and technology in place, as well as having an open dialogue with the wider business, to ensure we can keep the wheels in motion.”

Read more on Security policy and user awareness

Data Center
Data Management