The Current State of Cybersecurity Performance
An interview with Jamie Singer, US Data Security & Privacy, Edelman
Members of ESI’s thought leadership team sat down with the experts behind Driving Cybersecurity Performance to examine the state of cybersecurity practices and the growing trends impacting the industry.
Driving Cybersecurity Performance is the latest multi-client study from ESI ThoughtLab. The study will include an in-depth global survey of CISOs in companies spanning the Americas, Europe, and Asia Pacific and represent firms of varying sizes, from $50 million to over $50 billion in revenue. Full findings will be publicly available in the Spring of 2020. For more information, please visit our project microsite.
In your opinion, what are some of the most challenging cybersecurity issues organizations currently face? What industries need to be most proactive in improving their cybersecurity tactics?
In today’s cyberscape, it’s no longer a matter of “if, but when” any organization in any industry could be at risk of facing a significant data security or privacy event. In the last year especially, we’re seeing an increasing number of organizations — particularly in the healthcare, financial services, technology and municipality spaces — being forced to navigate the complexities of ransomware attacks. Ransomware can be debilitating to an organization not only in its ability to communicate to external stakeholders, but also how to communicate and function internally. Organizations suffering ransomware attacks must balance the desire to meet stakeholder expectations of transparent and frequent communications, while acknowledging the fluidity and length of forensic investigations and restoration processes. We’re also seeing increased focus on utility companies and their preparedness for cyber attacks that could lead to devastating operational and environmental consequences. Regardless of industry or sector, it’s incumbent on all organizations, big and small, to enhance their cybersecurity resilience and “muscle memory” in preparation for communicating about these issues.
How are organizations equipping their staff to better understand/handle cybersecurity issues?
As many data security and privacy issues stem from employee negligence — a lost laptop, a stolen flash drive — organizations must continue to focus on educating internal stakeholders on cybersecurity threats. We’re seeing increased focus on employee training/engagement programs on cybersecurity awareness, from large-scale training modules to frequent phishing security tests. In addition, incident response teams in organizations are increasingly seeing the value of pressure testing their plans through tabletop and crisis simulation exercises in order to identify and close gaps in preparedness, and to ensure existing communications processes and protocols are actionable and effective.
What are the biggest trends you see taking shape within the cybersecurity industry that will have major impacts in the next 3–5 years?
From a consumer standpoint, we anticipate the cybersecurity landscape continuing to broaden focus beyond cyber intrusions related to IT security along to include more macro issues and vulnerabilities related to data privacy and usage. Consumers increasingly expect organizations to be accountable for the data they collect, share and use. Organizations will be challenged to ensure their data privacy policies align with the regulatory / legal demands under GDPR and the California Consumer Privacy Act, while also meeting stakeholder expectations for clear and transparent communications.
Cybersecurity frameworks, like NIST’s, typically include five dimensions: identify, protect, detect, respond, and recover. How are organizations shifting their focus across these areas? Which dimensions are most important for 2020?
Given the potential for long-term reputational fallout stemming from major cyber events, organizations in 2020 must continue to focus on sharpening their internal and external communications responses to these issues. Companies that fumble the tone and execution of the communications response may face longer/multiple news cycles, stock impacts, scrutiny from local and federal elected officials, class-action litigation and eroded stakeholder trust. It is critical that all organizations build and test their incident response communications plans in advance of a critical issue so they can better positioned to respond effectively when all eyes are on them.