The Continuing Problem of Aligning Cybersecurity With Business
4.9.18 securityweek  Cyber

Aligning security policy with business practices is generally considered to be a key imperative for a successful company. This must necessarily start with security teams understanding the business, and business leaders understanding security requirements.

Varonis decided to test the progress by querying 345 C-Suite executives and IT/cybersecurity professionals -- broadly separated into business and IT/security groups -- across the U.S., UK, France and Germany. The results show apparent progress, but with puzzling details that might indicate slightly divergent viewpoints between the two groups.

For example, asked what types of data most need to be protected, both groups agreed on first customer or patient data, and second, intellectual property. They disagreed however, on the third priority. The business group specified employee data, while the security group specified financial data.

However, the most surprising divergence comes in the response to a query on the business impact of a data breach. The security group were most concerned about loss of brand image for the business, while the business group were most concerned with the cost of recovery.

"If I had been asked before the survey," Brian Vecci, technical evangelist at Varonis, told SecurityWeek, "I would have thought that non-IT folks would have been more concerned about brand image and damage than with IT recovery costs -- but it's actually the other way around. It's the security experts that are most concerned with brand perception and intellectual property loss, whereas the non-IT C-suite execs -- the top business leaders -- tend to think that IT recovery costs are the biggest issues."

The figures suggest that business and IT/sec are still not fully aligned, but in a non-intuitive manner. The reason could be something simple. Business leaders understand business better than they understand cybersecurity, and consequently worry more about what they don't fully understand; while IT/sec people understand security better than they understand commerce.

Or it could be a continuing failure for IT/sec to find the best metrics for reporting to business leaders. "It's all about data," said Vecci. "Nobody ever breaks into a network to steal the network log -- it's all about data, either exfiltrating and stealing data, or in denying service with something like ransomware."

IT/sec is aware of the scale of the data issue, while business leaders are only just becoming aware. "We're living is a more dangerous interconnected world, where anybody, anywhere can -- and if they want to, probably will -- get into your network," continued Vecci. "And the scale of the problems they have to solve when it comes to data is far bigger than it used to be. Most companies have between 30% and 50% more data this year than they had last year, and it's not slowing down -- it's just the way things work."

The data that needs to be secured is also changing in its nature. A few years ago, most sensitive data was stored in structured databases, and the need and methodologies for securing that data were well understood. Now, however, the majority of sensitive data -- made more sensitive by increasingly stringent data privacy laws like the GDPR -- is held in unstructured files and documents. Earlier this year, the 18 Varonis Global Data Risk Report showed that 41% of companies have more than 1,000 sensitive files open to everyone with access to the network, 58% of companies have more than 100,000 folders open to everyone.

IT and security teams need increasing budgets to solve the increasing problems -- so their reporting tends to reflect the problems. They, however, are less concerned because they can see the improvements to their security posture; and the Varonis figures confirm this. Ninety-one percent of the IT/sec group believe their organization is making progress in security, while only 69% of the business leaders see that progress.

"The arrival of machine learning technologies has helped CISOs believe they are moving the needle and improving security," suggests Vecci. "They can see this, while business execs, who tend to have a more binary view of things, possibly cannot see it."

The misalignment between IT/sec and business leaders may, then, be down to the difficulty of delivering meaningful metrics on the effect of machine learning defenses. This is possibly confirmed by one of the responses in the Varonis survey. Asked whether the organization can quantify the effect of cybersecurity measures, 88% of the IT/sec group replied in the affirmative, while only 68% of the business group agreed.

Unfortunately, while this may be partially true, other figures from the Varonis survey suggest that there remains a fundamental divide between the two sides. Ninety-six per cent of the IT/sec group believes their security planning approach is aligned with the organization's risks and objectives, but only 73% of the business leaders agree.

Perhaps the most concerning response came from the question on whether business is actually listening to IT/sec. Asked whether the leadership acts on input/guidance from the IT/sec team, 94% of the IT/sec team agreed, while only 76% of the business group agreed.

This Varonis survey shows that a fundamental misalignment still exists between business and IT/sec -- but not always in the most obvious manner. It could possibly be because business leaders still do not understand cybersecurity and simply turn a deaf ear to demands for more budget; or it could be the continuing inability of the IT/sec team to find the right metrics that can be understood by business people. This could in turn be down to the speed of technological changes. IT/sec is introducing new technologies like machine learning at a faster rate than they can provide metrics on the performance of those technologies.