Good enough is no longer good enough

 

Seventy-seven percent of information security leaders say that the most significant risk to an organization is employees doing their jobs however they want, with no regard to data security protocols or rules. When asked if your company experienced a data breach in the last 18 months, what was the cause of the data breach? 50% of information security leaders said it manifested inside the company as a result of an employee action. Incidentally, only 28% cited external actors (e.g. hackers, ransomware, malware).

89% of information security leaders believe the fast paced cultural model of their business puts their company at greater risk of data security threats.

Knowing their stance on culture, we then asked Chief Information Security Officers (CISOs) about their priorities. Despite CISOs’ belief that fast paced culture models, employee risk and workforce culture changes rank last in terms of their priorities.  So we asked, how good is your security for data risks that manifest inside an organization (aka those “no one wants to admit they exist” –  insider threats).

Their answer: It’s good enough.

“Good enough” is probably the worst answer you want to hear to any question about security, yet that’s often the “brutal truth” and it’s no longer good enough.

I’m sure CISOs love it when vendors say, “it’s not a matter of if insider threat happens,  it’s a matter of when.”  I argue it’s not even a matter of when – it’s a matter of fact.  It’s already happening and happening everyday. Working for a security company that focuses on data risk detection, we do a ton of research and our research draws a clear correlation between growing insider threats the very culture change many CEOs are driving.

80% of enterprises will change their culture by 2021 as a way to accelerate their digital business strategy

The external forces of culture change are too strong to ignore: Boomers are retiring. GenX is climbing the ranks. GenY is now the largest segment of the workforce, and Gen Z is beginning to enter the workforce in mass. Such forces are defining the new digital workforce, and with it, new attitudes about data:

  • 72% of employees believe their work is their property
  • 60% of employees admit to taking data with them from job to job
  • 8 of the top 10  collaboration tools employees use are in the cloud

Given the attitudes of this next-gen workforce around data and the growing insider threat problem, shouldn’t the CISO take a proactive security strategy to future proof the digital business culture? Shouldn’t CISOs be at the center of the culture change?   Shouldn’t the CISO have a seat at the culture change table?

We say yes. It’s time for CISOs to be viewed as business enablers and not blockers. It’s time the CISO is viewed as a partner in driving the very data-driven, performance-based and collaborative culture digital businesses need to succeed. If 80% of enterprises will change their culture by 2021, then the CISO is there to secure it.

(Source: Code42)