A new study by Tripwire should be setting off your alarms.
The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.
90 percent of organizations lack the
skills to address the full range of cyber threats!
There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.
97 percent of organizations lack the
technology they need to address the threats!
If I was on the board and heard this, I would be questioning the executive team hard.
Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.
But do they know the true extent of the problem?
Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?
When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.
Rather than audit the defenses, I had my team audit whether the company had the
capability to build, maintain, and manage the defenses.
Key questions include:
- Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?
- Are you satisfied and if so why? If not, what are you doing about it?
- Do you have the people to understand (on a continuing basis) and then address cyber risk?
- Do they have the tools? Is that your opinion or theirs?
- Is the voice of information security heard and listened to at senior and board levels?
- Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?
- How often is an
objective assessment of information security performed and is it reliable? Are its recommendations acted on?
- Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?
I welcome your comments.