Security breaches at high-profile businesses like Target Corp. have forced many companies to consider hiring a chief information security officer for the first time, or elevating the CISO to a more prominent role. Still, according to a new report, a majority of executives rarely -- if ever -- communicate with their security teams, potentially leaving security programs underfunded and strategies not properly defined.
Ponemon Institute LLC this week released results of a survey of nearly 5,000 IT security practitioners to uncover the challenges that IT executives and professionals face when dealing with security risks. Just under one-third of respondents indicated that their organizations' respective IT security teams never discuss security with executives, while another 23% only communicate with executives on an annual basis.
Of those surveyed, only 1% said security teams spoke with executives weekly and 11% quarterly, though 15% specified that they could meet with executives on an on-demand basis.
That lack of executive-security communication among a majority of surveyed organizations may explain why -- despite the recent surge in high-profile security incidents -- respondents also indicated that their security teams lack the resources they need to succeed.
For instance, slightly more than half of respondents said that their organizations do not invest in the necessary skilled personnel and technologies to successfully fulfill its security mission. Additionally, 29% of those surveyed also believed that their companies' current security systems are in need of a complete overhaul, with 9% noting that they've had no discussion about making any changes at all.
Without executive attention, threats are slipping through the cracks, according to Ponemon: two-thirds of respondents said they were personally aware of a fellow security professional at an organization that had suffered an insider attack, with intellectual property and customer data being the likely targets.
Jeff Debrosse, director of security research for San Diego-based application security vendor Websense Inc., which sponsored the report, said that despite the persistent media coverage dedicated to breaches in recent years, he was unsurprised by Ponemon's findings. Many of those high-profile security incidents could have been prevented, said Debrosse, had those businesses simply applied products and services that are already available.
That those breaches still occurred, he noted, showed that many board-level executives aren't involved enough in security matters yet. In fact, when asked what would compel executives to invest more in security, the top two factors cited by those surveyed were the exfiltration of intellectual property and a data breach involving the loss of customer data.
Debrosse said that finding is a worrisome indicator that executives still don't realize the risk that security threats pose to the revenue stream of a business.
"If there isn't someone in a security role at that [executive] table, it won't get the attention that it deserves until the eventual happens to the organization," said Debrosse, "and by then, it's far too late. There wasn't budget for staffing, equipment, professional and other services or even things like pen testing, and then [an incident] becomes an after-the-fact information gathering [exercise] of how did this happen."
Despite being concerned by Ponemon's finding, Debrosse said that he was actually optimistic that communication between security teams and executives will improve in the coming years. When speaking at a security event a few weeks ago, for instance, Debrosse found that many of the executives in attendance had questions about how to make a security strategy more proactive -- a measure he said is pivotal if organizations are to succeed in reducing information security risk.
"The organization has to recognize that security professionals need to be present at those high-level meetings when there are strategic and critical decisions being made," said Debrosse. "Security can't be a back-burner topic saved for when something occurs. It needs to be something planned, or else they will without a doubt at some point find themselves as front page news.
"We can shorten that [attack window] down with a few really great best practices, but the very first one has to be staying in communication," added Debrosse.
Threat modeling: An unused arrow in the security bow?
Beyond highlighting executive-security communication issues, the Ponemon report also found that threat modeling -- the practice of identifying vulnerabilities and threats most likely to affect a specific organization, and then focusing on mitigating those threats – is seemingly underused as a security tool when compared to its perceived effectiveness.
Among those surveyed, only 42% said their organizations had implemented some sort of threat-modeling process. Out of those organizations that conducted threat modeling, 94% consider the practice important to their enterprises' risk management strategies, with nearly a third of respondents considering it to be essential.
Adam Shostack, author of Threat Modeling: Designing for Security, said that Ponemon's statistics jive with his experience touting threat modeling across the industry: Not enough organizations have tried threat modeling, but those that did found it offered a lot of value.
Shostack said that he's been training security professionals and organizations on how to implement threat modeling for years, and over that time he's encountered many objections that are the result of what he calls "traps" -- those areas which serve to bog down enterprises as they try to establish a threat-modeling process. Those traps include failing to finish the process, focusing too much on the specifics of how to do threat modeling -- as opposed to each organization figuring out the best way forward in their respective situation -- and attempting to think like an attacker.
To combat those traps, Shostack said he encourages organizations to ask four questions that can help them to more clearly achieve their threat-modeling goals: What are you building? What can go wrong with it once it's built? What should you do about those things that can go wrong? Did you do a decent job of analysis?
"Many of those traps may be the reasons that nearly 60% of organizations haven't given it a serious try," said Shostack. "The pilots don't work because obvious approaches like 'list your assets' or 'think about attackers' leave people stymied."
Debrosse said that he was inspired to see so many organizations had responded positively to threat modeling, but agreed with Shostack that more organizations need to embrace it in order to evolve past a reactive security mode.
The easiest way for an enterprise to get started with threat modeling, said Debrosse, is by seeking out one of many freely available templates online and then carving it down to meet specific needs. Perhaps most importantly, Debrosse said that threat modeling needs more advocates within the security industry that can tout success stories to skeptical companies.
"Once they understand that part, they'll start seeking out different models and figuring out which one works best for them or works best for what their security leadership believes," said Debrosse, "but the very first tip of that iceberg is bringing up that folks are having a tremendous amount of success and are responding very positively to threat modeling and the organization should take a look at it as well."
Get advice on how to address IT security concerns with executives.
Learn about the essentials of Web application threat modeling.