“Cyber attack fears delaying business innovation” reveals HackerOne survey

A survey conducted by HackerOne has revealed that IT projects are being stifled due to security concerns. More than 80% of UK CISOs and CTOs who were interviewed revealed software IT projects have been hindered due to concerns over inevitable security issues. 90% also agreed that software vulnerabilities pose a significant risk to their organisation.

“Organisations need to find a balance between driving innovation and keeping data safe,” said Laurie Mercer, security engineer at HackerOne. “It’s not surprising that fear around cyber security is hindering this, but by moving beyond traditional cyber security strategies, businesses can start to feel empowered. When I started writing code, new releases of software would take six months to develop and test. Today, new software is released every hour. This new pace of innovation poses a problem for security teams but, by implementing a strategy that supports continuous security, businesses can ensure they’re on alert for any vulnerabilities that software might have. The key is to ensure that security is constantly evolving.”

Manpower and budgets are also a key concern for security professionals, with 63% believing security team resources are not able to keep up with the pace of development. Lack of budget and other resources including skill sets were also cited as key barriers to creating a well-rounded cyber security strategy by over a third of respondents.

Despite the significant number of concerns around vulnerabilities and limited resources, the survey highlighted that 62% would rather accept the risk of software vulnerabilities than invite unknown hackers to find them, while 63% say they’re only comfortable accepting bug submissions from vetted hackers.

A HackerOne customer and CISO of an international health and beauty retailer said: “I understand first-hand the nature of remaining cautious. As we all know, though, traditional cyber security methods alone are not sufficient. CISOs find themselves in a tricky position, needing to embrace innovation, but while ultimately remaining responsible for cyber security. The security landscape is ever evolving so we need to approach defensive strategies in the same way. By working with ethical hackers, it gives organisations the freedom to work on new projects, spin-up new applications and try different ways of working, while at the same time there’s peace of mind that continuous and ongoing testing is taking place. With ethical hacking, these vulnerabilities can be fixed immediately.”

The research was conducted by Opinion Matters and included input from 200 UK CISOs and CTOs. The findings revealed what CISOs believe to be the biggest risks to businesses, which areas are hindering growth and what kind of technology respondents are likely to implement in order to overcome these challenges.

“Hybrid cloud and the CIO will rule in 2017” asserts Informatica

Cloud has reached maturity. No longer seen as the dangerous option, widespread cloud adoption will enable more flexible and rapid service in 2017. As a result, businesses will need to have total control of their infrastructure and sensitive data if they’re to keep up. With this in mind, Greg Hanson (vice-president for worldwide consulting at data specialist Informatica), has moved to explain the four areas businesses must prepare for in 2017 if they’re to perfect their cloud strategy.

Enterprises will embrace a hybrid cloud approach to dispel data fragmentation

Widespread adoption of Software-as-a-Service (SaaS) has traditionally been the preserve of SMEs looking for subscription-based models and easily scalable software. Yet pockets of SaaS investment have crept into the enterprise in 2016, occurring within individual lines of business and causing data fragmentation which hampers agility.

In 2017, rather than shying away from SaaS deployments business-wide, successful enterprises will embrace a hybrid approach to the cloud and reclaim their single view of data assets.

Security will no longer be a question of on-premise or cloud

It’s no longer about whether on-premise or cloud is more secure, but rather about understanding that breaches come from the inside. Threats exist inside the firewall and, as a result, perimeter defence has long since been ineffective.

After all, the biggest threat to an organisation’s security posture doesn’t come from the kind of infrastructure and software it uses, but rather its people.

Greg Hanson

The amount of data that business users are consuming and demanding means it’s the data management strategy that’s imperative. Security posture in 2017 will be defined by an organisation’s ability to carve out a cohesive data management strategy to track data wherever it resides, and then secure it at its source. 

Brands will live and die by their customer experience

From financial institutions to retailers and manufacturers, customer experience will overtake price as the new differentiator for customers. As such, data stewardship and governance will become the priority for those delivering second-to-none experiences and successful transformation projects.

It’s all very well pulling data assets together and sharing them with lines of business for these initiatives, but they will need to know that the quality of the data they’re implementing into systems is pristine.

What’s more, they will need the right guidance and tools to access the data in the first place and visualise it in such a way that it can travel the last mile and be put into real use. This is where a cohesive data management strategy is essential for bridging the disconnect between data scientists and business users. 

CIOs will secure their future by reclaiming ownership of data initiatives

With CIOs increasingly facing competition from a tech-savvy set of business IT buyers, it will be imperative that the former step up and take ownership of business agility and transformation to ensure they still lead their organisation’s digital journey.

Lines of business are increasingly looking to do things cheaper and quicker without the involvement of IT. This means that CIOs will need to reclaim control of data management at its root to drive enterprise-wide security and improve accessibility of data.

Only then can they fully ensure that the single view of the company’s data assets doesn’t become somewhat ‘muddied’ by a disjointed IT spend and independent data management across the business.

“UK businesses could spend £1.2 million recovering from a cyber security breach” states new research from NTT Com Security

Most business decision-makers in the UK admit that their organisation will suffer from a cyber security breach at some point. They also anticipate that recovering from a data breach would cost upwards of £1.2 million on average for their organisation. That’s according to the Risk:Value report issued by information security and risk management company NTT Com Security, which surveyed business decision-makers in the UK as well as the US, Germany, France, Sweden, Norway and Switzerland.

While nearly half (48%) of UK business decision-makers say that information security is ‘vital’ to their organisation, and just half agree it’s ‘good practice’, a fifth admit that poor information security is the ‘single greatest risk’ to the business ahead of ‘decreasing profits’ (12%) and ‘competitors taking market share’ (11%) and on a par with ‘lack of employee skills’ (21%).

Well over half (57%) agree that their organisation will suffer a data breach at some point, while a third disagree. One-in-ten state that they simply don’t know if this will be the case.

Respondents estimate that a breach would cost them an average of £1.2 million, even before ‘hidden costs’ like reputational damage and brand erosion are taken into consideration. Again, on average it would take around two months to recover from a breach. Respondents to the comprehensive survey also anticipate a 13% drop in revenue, on average, following a breach episode.

Starting to hit home

The survey shows that recent high-profile data breaches are starting to hit home. A similar report published by NTT Com Security in 2014 revealed that 10% of an organisation’s IT budget was spent on information security compared to 11% this year. However, in the latest report, around a quarter (23%) of UK businesses reveal that more is spent on Human Resources than information security.

In terms of remediation costs following a security breach, nearly a fifth (18%) of a company’s costs would be spent on legal fees, 18% on fines or compliance costs, 17% on compensation to customers and 11% set aside for third party remediation resources. Other anticipated costs include PR and communications (14%) and compensation paid to both suppliers (12%) and employees (11%).

According to the report, the majority of respondents in the UK admit they would suffer both externally and internally if data was stolen, including loss of customer confidence (66%) and damage to reputation (57%) as well as suffering direct financial loss (41%). Over a third of decision-makers (34%) expect to resign (or expect another senior colleague to do so) as a result of a breach.

Stuart Reed, senior director for global product marketing at NTT Com Security, commented: “Attitudes towards the real impact of security breaches have really started to shift. That’s no surprise given the year we have just had. We’ve seen several major brands reeling from the effects of serious data breaches, and struggling to manage the potential damage, not only to their customers’ data, but also to their own reputation. While the majority of people we spoke to expect to suffer a cyber security breach at some point, most fully expect to pay for it as well, whether that’s in terms of third party and other remediation costs, customer confidence, lost business or even, possibly, their jobs.”

Who’s responsibility is it anyway?

*41% of UK organisations have a disaster recovery plan in place, with 40% having a formal security policy in place. In both cases, almost half are in the process of implementing or designing one

*When it comes to responsibility for managing the company’s recovery plan, 15% say the CEO now has responsibility, although this still largely falls to the Chief Risk Officer (CRO), the Chief Information Officer (CIO) or the Chief Security Officer (CSO)

*While 77% agree it’s ‘vital’ their business is insured for security breaches, only 26% have dedicated cyber security insurance. However, 38% of those questioned are in the process of obtaining a policy

*One-in-five respondents in the UK say they don’t know if their organisation has any type of insurance in place to cover for the financial impact of data loss or an information security breach

“It’s encouraging to see that almost all UK businesses now have a disaster recovery and formal information security policy in place, or are at least planning to implement one soon,” added Reed.

“Clear, concise internal processes and policies for employees and contractors have so often been overlooked, and this is what can lead to complacency and poor security hygiene. When we talk to clients, we make it absolutely clear that educating staff about security should be a top priority, supported all the while by clear and simple procedures and backed up by a solid incident response plan.” 

*The Risk:Value Executive Summary report can be downloaded here

Vanderbilt builds on security market success with duo of senior management appointments

Vanderbilt International, the state-of-the-art security systems developer, has strengthened its senior management team with two key appointments. Peter Mueller has joined the company as its new Chief Information Officer (CIO) and executive committee member, while Rickard Hammarberg will take on the role of sales hub head for Sweden.

Mueller’s impressive career spans over 30 years in business, where he was a management consultant for international blue chip companies including Deloitte, Arthur D Little and IBM. A graduate of the University of Münster, for the last seven years he has served as Professor in MBA Programs at the Ho Chi Minh University of Technology and Adjunct Professor at Beijing Normal University as well as being a visiting Professor at universities throughout India.

Mueller will now facilitate a strong alignment with Vanderbilt’s Information Technology, business and management functions.

Commenting on his new role, Mueller told Risk UK: “As CIO, I’m looking forward to identifying areas where we can use technology to make our overall operation more efficient and cost-effective and improve the service we offer to our ever-growing customer base. This will ensure that we maximise our competitive potential in what is a highly competitive market, while at the same time delivering value and adapting to changing working practices such as remote working.”

Peter Mueller

For his part, Rickard Hammarberg brings a wealth of experience to Vanderbilt gained over 20 years of working in the security industry, during which time he has amassed considerable knowledge about the technology and trends within the CCTV and access control sectors.

His previous positions include a variety of national and international roles, among them a two-year stint in the UK as team leader at Bewator. Hammarberg’s most recent position was regional sales manager for the Nordics at Lenel Systems International. He has also worked for BIAB Larm and YIT Sweden.

Hammarberg is now tasked with increasing the company’s profile in Sweden and the wider Nordic region, as well as setting the strategic business plan and sales strategy to build the brand and develop long-term relationships with its customers.

He commented: “I’m convinced that Vanderbilt’s ranges of access control, intrusion alarm and video surveillance products offer unrivalled levels of performance, flexibility and user-friendliness. This all makes them perfect for the Swedish market, and I’m now looking forward to playing my part in the company’s growth strategy and taking myself and my team to new levels of success.”

Welcoming Mueller and Hammarberg on board, Joseph Grillo (Vanderbilt’s managing director) stated: “Since acquiring Security Products from Siemens in April 2015, Vanderbilt has reinforced its position as a global leader in state-of-the-art security systems. Having Peter and Rickard on our senior management team will really help us in our mission to expand our presence in the security business sector and provide a level of service that’s agile, flexible and always meets our customers’ needs.”

“Non-executive directors have a responsibility to understand cyber security risks” urges AXELOS

Non-executive directors have a responsibility to understand cyber security risks and resilience in order to best protect the interests of their business. That’s the view espoused by AXELOS Global Best Practice in a new discussion paper.

In the paper, AXELOS calls for more training on cyber security risks and resilience for non-executive directors on company Boards. ‘Mind the Information Gap: Non-Executive Directors and Professional Development’ identifies that non-executive directors on audit and risk committees are in a unique position to improve the resilience of their companies, but asserts that many may not currently have access to the training and skills necessary in order to do so.

Nick Wilding, head of cyber resilience Best Practice at AXELOS, stated: “Some organisations can be complacent about cyber risk, believing that ‘We’re not a target. We’re too small and don’t have anything of value to a hacker.’ The reality is that everyone in a business needs to be aware of cyber security risks and resilience strategies, but particularly those in senior roles.”

Wilding added: “Companies need to ensure that their Board members are able to learn about these issues. This is the best way to ensure that a company is as prepared as possible for any incident or attack.”

Nick Wilding: head of cyber resilience Best Practice at AXELOS

Professional development strategy for senior executives

The discussion paper recommends that companies introduce a professional development strategy for senior executives designed to address this lack of understanding of cyber security issues at Board level. This will help Board members build cyber security risks into a broader understanding of their organisation’s ‘risk appetite’. It will also ensure that they have the capacity to understand and question audit, risk and compliance reports that are provided by the organisation.

In addition, AXELOS also argues that, as a consequence of this better understanding, strong relationships between specific Board members and key figures from the business – such as the CIO, CISO and risk director – will be formed, in turn ensuring that cyber security issues have a ‘champion’ at Board level.

In conclusion, Wilding explained: “Ahead of the launch of the new AXELOS Cyber Resilience Best Practice portfolio later this year, our new discussion paper demonstrates how important it is that everyone – including those at Board level – in an organisation is equipped to deal with a cyber security incident. Companies must improve their resilience. This can only happen if Board members are engaged and informed.”

*The new discussion paper can be found on the AXELOS website: www.axelos.com/case-studies-and-white-papers/mind-the-information-gap

**AXELOS was formed in 2013 to promote and grow the Global Best Practice portfolio, including ITIL, PRINCE2 and the other PPM products used across organisations in the private, public and voluntary sectors within more than 150 countries worldwide.
 
AXELOS has an ambitious programme of investment for developing innovative new solutions and stimulating the growth of a vibrant, open and international ecosystem of training, consultancy and examination organisations.
 
Forthcoming developments include the aforementioned launch of a Cyber Resilience Best Practice portfolio, PRINCE2 Agile, the ITIL Practitioner qualification and its first-ever Continuing Professional Development (CPD) programme for practitioners.