Tag Archives: CISO

“Cyber attack fears delaying business innovation” reveals HackerOne survey

A survey conducted by HackerOne has revealed that IT projects are being stifled due to security concerns. More than 80% of UK CISOs and CTOs who were interviewed revealed software IT projects have been hindered due to concerns over inevitable security issues. 90% also agreed that software vulnerabilities pose a significant risk to their organisation.

“Organisations need to find a balance between driving innovation and keeping data safe,” said Laurie Mercer, security engineer at HackerOne. “It’s not surprising that fear around cyber security is hindering this, but by moving beyond traditional cyber security strategies, businesses can start to feel empowered. When I started writing code, new releases of software would take six months to develop and test. Today, new software is released every hour. This new pace of innovation poses a problem for security teams but, by implementing a strategy that supports continuous security, businesses can ensure they’re on alert for any vulnerabilities that software might have. The key is to ensure that security is constantly evolving.”

CISOCIOCyberAttack

Manpower and budgets are also a key concern for security professionals, with 63% believing security team resources are not able to keep up with the pace of development. Lack of budget and other resources including skill sets were also cited as key barriers to creating a well-rounded cyber security strategy by over a third of respondents.

Despite the significant number of concerns around vulnerabilities and limited resources, the survey highlighted that 62% would rather accept the risk of software vulnerabilities than invite unknown hackers to find them, while 63% say they’re only comfortable accepting bug submissions from vetted hackers.

A HackerOne customer and CISO of an international health and beauty retailer said: “I understand first-hand the nature of remaining cautious. As we all know, though, traditional cyber security methods alone are not sufficient. CISOs find themselves in a tricky position, needing to embrace innovation, but while ultimately remaining responsible for cyber security. The security landscape is ever evolving so we need to approach defensive strategies in the same way. By working with ethical hackers, it gives organisations the freedom to work on new projects, spin-up new applications and try different ways of working, while at the same time there’s peace of mind that continuous and ongoing testing is taking place. With ethical hacking, these vulnerabilities can be fixed immediately.”

The research was conducted by Opinion Matters and included input from 200 UK CISOs and CTOs. The findings revealed what CISOs believe to be the biggest risks to businesses, which areas are hindering growth and what kind of technology respondents are likely to implement in order to overcome these challenges.

Leave a comment

Filed under Risk Xtra

“Non-executive directors have a responsibility to understand cyber security risks” urges AXELOS

Non-executive directors have a responsibility to understand cyber security risks and resilience in order to best protect the interests of their business. That’s the view espoused by AXELOS Global Best Practice in a new discussion paper.

In the paper, AXELOS calls for more training on cyber security risks and resilience for non-executive directors on company Boards. ‘Mind the Information Gap: Non-Executive Directors and Professional Development’ identifies that non-executive directors on audit and risk committees are in a unique position to improve the resilience of their companies, but asserts that many may not currently have access to the training and skills necessary in order to do so.

Nick Wilding, head of cyber resilience Best Practice at AXELOS, stated: “Some organisations can be complacent about cyber risk, believing that ‘We’re not a target. We’re too small and don’t have anything of value to a hacker.’ The reality is that everyone in a business needs to be aware of cyber security risks and resilience strategies, but particularly those in senior roles.”

Wilding added: “Companies need to ensure that their Board members are able to learn about these issues. This is the best way to ensure that a company is as prepared as possible for any incident or attack.”

Nick Wilding: head of cyber resilience Best Practice at AXELOS

Nick Wilding: head of cyber resilience Best Practice at AXELOS

Professional development strategy for senior executives

The discussion paper recommends that companies introduce a professional development strategy for senior executives designed to address this lack of understanding of cyber security issues at Board level. This will help Board members build cyber security risks into a broader understanding of their organisation’s ‘risk appetite’. It will also ensure that they have the capacity to understand and question audit, risk and compliance reports that are provided by the organisation.

In addition, AXELOS also argues that, as a consequence of this better understanding, strong relationships between specific Board members and key figures from the business – such as the CIO, CISO and risk director – will be formed, in turn ensuring that cyber security issues have a ‘champion’ at Board level.

In conclusion, Wilding explained: “Ahead of the launch of the new AXELOS Cyber Resilience Best Practice portfolio later this year, our new discussion paper demonstrates how important it is that everyone – including those at Board level – in an organisation is equipped to deal with a cyber security incident. Companies must improve their resilience. This can only happen if Board members are engaged and informed.”

*The new discussion paper can be found on the AXELOS website: www.axelos.com/case-studies-and-white-papers/mind-the-information-gap

**AXELOS was formed in 2013 to promote and grow the Global Best Practice portfolio, including ITIL, PRINCE2 and the other PPM products used across organisations in the private, public and voluntary sectors within more than 150 countries worldwide.
 
AXELOS has an ambitious programme of investment for developing innovative new solutions and stimulating the growth of a vibrant, open and international ecosystem of training, consultancy and examination organisations.
 
Forthcoming developments include the aforementioned launch of a Cyber Resilience Best Practice portfolio, PRINCE2 Agile, the ITIL Practitioner qualification and its first-ever Continuing Professional Development (CPD) programme for practitioners.

Leave a comment

Filed under Risk UK News