3 things you need to ask your head of security

Cybersecurity is more than a technical matter, it’s a human one.
So to remain secure, organizations need to combine some
deceptively soft-sounding solutions, such as collaboration,
partnership and skills, with the toughest technology.
Cyberattacks are constantly evolving, and becoming more
insidious than ever. The rise of the Advanced Persistent Threat
(APT) and the even more potent Advanced Volatile Threat (AVT)
has seen a boom in polymorphic, multi-vector hacking against
ordinary organizations.
Traditional security approaches, such as next-generation
firewalls (NGFWs) and intrusion prevention systems (IPS), no
longer provide protection against new techniques like spear-
phishing. Examples continue to hit the headlines of respectable,
competent organizations which nonetheless fall victim to
cyberattack, suffer data theft, financial loss and damage to their
brand reputation.
Yet incredibly, 69% of CEOs don’t take security seriously enough,
according to BT’s recent report on mobile security threats. (For
more information, download the executive summary.)
No organization can defend themselves effectively on their own.
Collaboration and partnership are becoming essential to
cybersecurity. To get the latest intelligence, you need access to
sources of shared information about the entire threat landscape.
CERT UK’s Cyber-Security Information Sharing Partnership
(CiSP) is a great initiative. Commercial organizations also
provide threat intelligence services. Look for one that scans both
open-source and anonymized private data and provides both
general reports and analysis of your organization’s specific
vulnerabilities.
One of the greatest vulnerabilities organizations face is not
technological at all – it’s human. People are often the cause of
security breaches – not intentionally, but simply through
ignorance or carelessness. 10% of employees do not even
secure the BlackBerry or iPad they use for work with a simple
password. More than half don’t know what their company’s
security policy is for using their own devices at work – usually
because the company doesn’t have one (only 40% do) or
because it hasn’t trained them on it.
More than half of all organizations don’t give all their employees
training on their personal responsibility for cybersecurity. If they
did it would not only reduce the risk of security breaches but
help mitigate the consequences should they occur. But
developing a security-conscious culture needs to come from the
top, with executives leading by example.
Not only do organizations have too many people who don’t
understand security, they don’t have enough people who do.
There is an acute global shortage of cybersecurity skills: only
26% of organizations believe they have sufficient resources in
place to prevent a mobile security breach.
If you can’t hire enough suitably skilled security professionals of
your own, a good approach is to join forces with a partner who
does. Partnerships are a better way of tapping into the
intelligence and expertise you require, because security
specialists who deal with many organizations have a more
comprehensive and up-to-date view of the emerging threat
landscape. Partnerships with your own customers help too, as
they can inform you of issues outside your immediate field of
interest before they become a problem. Intelligence can be
shared with others in the partnership, too.
Leaders of all types of organizations should ask their head of
security these three questions:
1. How prepared are we to combat Advanced
Persistent Threats?
2. How well is our security policy being applied to our
own people through training and awareness
programmes?
3. Have we got sufficient access to up-to-date
intelligence on emerging threats, and the skills to
combat them?
The answers may give you something to think about. But at
least by asking you’ll know how secure you really are, and you
won’t be one of the 69% of CEOs who don’t take cybersecurity
seriously enough.