clock menu more-arrow no yes mobile

Filed under:

Bridging the Accountability Gap: Why We Need to Adopt a Culture of Responsibility

A new study found a worrying gap between presumed and actual corporate readiness for data security incidents.

EPIP.org

Businesses face a litany of existential threats: Hostile takeovers, talent departures, unpredictable customer behavior and market fluctuations — all deeply familiar risks that leaders have carefully planned for and assessed over decades. Yet these same leaders are often alarmingly unprepared for the most potentially damaging threat — a massive data breach that could mean the loss of everything … all in a matter of seconds.

A new study, “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility,” found a worrying gap between presumed and actual corporate readiness for data security incidents and a widespread lack of accountability at the top levels of organizations.

The problems begin not with the “techies” in a company, but rather at the very top with the board of directors, as we learned when Nasdaq and Tanium teamed up to investigate how business leaders assess their own cybersecurity vulnerability. In the new study, “The Accountability Gap: Cybersecurity & Building a Culture of Responsibility,” researchers at Goldsmiths, University of London, found a worrying gap between presumed and actual corporate readiness for data security incidents and a widespread lack of accountability at the top levels of organizations. That means that some of the world’s largest networks, holding some of our most precious data, are more vulnerable than their leaders believe.

The study surveyed 1,530 non-executive directors (NEDs), C-level executives, chief information officers (CIO) and chief information security officers (CISO) across the United States, United Kingdom, Germany, Japan, Denmark, Norway, Sweden and Finland. They discovered that, among the most vulnerable companies, 98 percent of those business leaders are not confident their organization can monitor all devices and users at all times, which means information is traveling through unknown places.

Additionally, 90 percent of respondents could be categorized as medium-to-high risk for a cybersecurity incident, and 40 percent of respondents admitted that they didn’t feel responsible for the repercussions of a cyber attack. Until cybersecurity awareness and readiness are understood and openly communicated by both board members and senior executives alike — and all employees are educated on their personal accountability — closing the gap between how vulnerable you are versus how vulnerable you think you are is a bridge too far.

Information security is fast becoming the No.1 area of IT spend for Global 2000 companies. Information security saw a 24 percent average increase in spending from 2014 to 2015, according to PwC. Unfortunately, businesses have failed to keep pace with the hackers. The sad fact is that the security industry has failed to evolve at the pace of cyberhackers, and most companies use technology that has not been updated in decades to protect their most sensitive data.

The problems begin not with the “techies” in a company, but rather at the very top with the board of directors.

The same study found data breach incidents outpaced the spending, increasing by 38 percent worldwide last year. Why? Because we have seen that cybersecurity is not simply a technology problem. Though having the right tools and cyber-hygiene practices is of paramount importance to ensuring the right security posture, it’s only part of the equation. If the people who are responsible for safeguarding an organization’s data don’t feel responsible — or simply don’t know how to be — a company remains at great risk.

But there is cause for optimism. Not only do new technologies address the latency and scale issues of legacy security tools, this report identifies several actions all organizations can consider to open meaningful dialogue — from board to C-suite to staff — to reduce vulnerability and ultimately close the accountability gap. Here are two to consider:

Create a culture of openness: Educate and empower the board

Some 91 percent of board members at the most vulnerable respondent companies are unable to interpret a cybersecurity report. Most board members are not technologists, and even fewer have a cyber background. Board members need to know what questions to ask in order to assess a company’s vulnerability — in the same way they ask questions regarding financial concerns. In many cases, certain board members responsible for cybersecurity could be given extended training so they can be comfortable with the language and impact of the data they are presented. Nasdaq’s board has multiple board members with a deep knowledge of what security means in the context of running a technology organization and how security incidents could impact the financial markets.

It is important to foster an environment of transparent communication in which cybersecurity can be talked about openly. Work collaboratively with governments, nongovernment organizations, and peers to understand the latest security threats and ways to work together to put out fires. The research shows that we need to move to a culture of openness — one that strives for transparency and maximum visibility. Admit that hacking is inevitable, but breaches are not. Strong response plans, employee training targeted to each level in the company, cultivating knowledge and sharing information are crucial elements for strengthening cybersecurity. Specifically, companies should be focused on improving information flows across the organization (including the board) and sharing information, too. This means being active with many industry consortiums, as they are all fighting the same fight.

Create a culture of vigilance: Acknowledge that cybersecurity is a fundamental threat to the business

If widespread education about the detrimental impact of cybersecurity is step one, then an honest look at the technology you use to keep safe and run the business is step two. Prevention-based security strategies have failed on a very public level. People, processes and technology are the cornerstones of a culture of vigilance and when holistically approached, the keys to staying one step ahead of the attackers. The reality is that most modern security tools are just abstracted versions of themselves from the past two to three decades. They lack the ability to answer basic questions like, “How many devices are in my network?” or “which applications are causing the most vulnerabilities?” It may sound simplistic at its core, but an organization cannot protect what it cannot see.

Until cybersecurity awareness and readiness are understood and openly communicated by both board members and senior executives alike — and all employees are educated on their personal accountability — closing the gap between how vulnerable you are versus how vulnerable you think you are is a bridge too far.

Kris McConkey, PwC’s lead for cyber- and insider threat intelligence, detection and incident response commented to us, “One of the failings of the security industry or rather the industry as a whole, is that we’re effectively taking all the same business processes that we’ve been using for the last 20 to 30 years, and trying to add more and more layers of technology on top to patch all the holes.”

We live in an exciting time, one where we use Internet-powered devices to connect directly with businesses, governments, each other and the world around us. As a result, we are able to solve problems quicker and live longer, happier lives. It’s time that leaders across the organization take personal responsibility and play a more active role.

Cyber attacks represent an existential threat to this way of life, and we need to make sure the right people, processes and the technology are in place to protect our most sensitive data.


Orion Hindawi co-founded Tanium in 2007, and serves as its chief executive officer. Hindawi leads product strategy and development of the Tanium Platform, in addition to all customer-facing technical operations and management functions. He has led the development of enterprise-scale endpoint security and management platforms for the past 18 years at BigFix, Inc. (acquired by IBM in 2010) and Tanium, in addition to holding multiple software patents in the areas of network communications and systems management. He also serves on the Tanium board of directors. Reach him @Tanium.

As SVP, CISO and global head of infrastructure services at Nasdaq, Lou Modano is responsible for leading the company’s information security risk assessment and governance activities as well as information security incident management engineering teams. He is also responsible for the development and implementation of Nasdaq’s global technology infrastructure and services, including networks, systems, storage, databases, cloud computing, office automation and data center facilities. Modano and his global team support the underlying infrastructure behind Nasdaq’s trading and market systems, as well the Market Technology and Corporate Solutions businesses within the Global Technology group. Reach him @NASDAQ.

This article originally appeared on Recode.net.

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.