3 things you need to ask your head of security

Cybersecurity is more than a technical matter, it’s a human one. So to remain secure, organizations need to combine some deceptively soft-sounding solutions, such as collaboration, partnership and skills, with the toughest technology.

Cyberattacks are constantly evolving, and becoming more insidious than ever. The rise of the Advanced Persistent Threat (APT) and the even more potent Advanced Volatile Threat (AVT) has seen a boom in polymorphic, multi-vector hacking against ordinary organizations.

Traditional security approaches, such as next-generation firewalls (NGFWs) and intrusion prevention systems (IPS), no longer provide protection against new techniques like spear-phishing. Examples continue to hit the headlines of respectable, competent organizations which nonetheless fall victim to cyberattack, suffer data theft, financial loss and damage to their brand reputation.

Yet incredibly, 69% of CEOs don’t take security seriously enough, according to BT’s recent report on mobile security threats. (For more information, download the executive summary.)

No organization can defend themselves effectively on their own. Collaboration and partnership are becoming essential to cybersecurity. To get the latest intelligence, you need access to sources of shared information about the entire threat landscape. CERT UK’s Cyber-Security Information Sharing Partnership (CiSP) is a great initiative. Commercial organizations also provide threat intelligence services. Look for one that scans both open-source and anonymized private data and provides both general reports and analysis of your organization’s specific vulnerabilities.

One of the greatest vulnerabilities organizations face is not technological at all – it’s human. People are often the cause of security breaches – not intentionally, but simply through ignorance or carelessness. 10% of employees do not even secure the BlackBerry or iPad they use for work with a simple password. More than half don’t know what their company’s security policy is for using their own devices at work – usually because the company doesn’t have one (only 40% do) or because it hasn’t trained them on it.

More than half of all organizations don’t give all their employees training on their personal responsibility for cybersecurity. If they did it would not only reduce the risk of security breaches but help mitigate the consequences should they occur. But developing a security-conscious culture needs to come from the top, with executives leading by example.

Not only do organizations have too many people who don’t understand security, they don’t have enough people who do. There is an acute global shortage of cybersecurity skills: only 26% of organizations believe they have sufficient resources in place to prevent a mobile security breach.

If you can’t hire enough suitably skilled security professionals of your own, a good approach is to join forces with a partner who does. Partnerships are a better way of tapping into the intelligence and expertise you require, because security specialists who deal with many organizations have a more comprehensive and up-to-date view of the emerging threat landscape. Partnerships with your own customers help too, as they can inform you of issues outside your immediate field of interest before they become a problem. Intelligence can be shared with others in the partnership, too.

Leaders of all types of organizations should ask their head of security these three questions:

1. How prepared are we to combat Advanced Persistent Threats?
2. How well is our security policy being applied to our own people through training and awareness programmes?
3. Have we got sufficient access to up-to-date intelligence on emerging threats, and the skills to combat them?

The answers may give you something to think about. But at least by asking you’ll know how secure you really are, and you won’t be one of the 69% of CEOs who don’t take cybersecurity seriously enough.

Author: Luis Alvarez, CEO, BT Global Services

Image: A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski