ceo disconnect is weakening cybersecurity - Centrify

CEO DISCONNECT IS WEAKENING CYBERSECURITY

WSJ. WSJ. Studios CustomisStudios a unit of is a The unit Wall of The Street Wall Journal Streetadvertising Journal advertising department. department. The Wall The Street Wall Journal Streetnews Journal organization news organization was not involved was not involved in the creation in the of creation this content. of this content. 1 Custom

A disconnect about cybersecurity is causing tension among leaders in the C-suite — and may be leaving companies vulnerable to breaches as a result. Sensational headlines in 2017 are in part to blame for this disconnect — a year full of highprofile news about companies experiencing malware breaches. The so-called cyberworm Wannacry, for example, attacked Microsoft systems, infecting 200,000 computers overnight, hitting 150 countries and impacting much of Britain’s National Healthcare System. It was a particularly notable case. But other ransomware, such as Petya, notpetya and badrabbit, grabbed the media’s attention, too — and even more destructive variants became frontline weapons for state actors.

62% 2

It’s not surprising, then, that CEOs are reacting to these reports, as a recent Dow Jones Customer Intelligence/Centrify survey of 800 senior executives found. In the survey, CEOs cite malware as the most important cybersecurity risk threatening their organization’s success. But technical officers on the front lines (CIOs, CTOs and CISOs) see it differently: They point to identity breaches — including privileged user identity attacks and default, stolen or weak passwords — as the biggest threat. True, all respondents are clear that identity breaches present a real danger to cybersecurity, but CEOs are much less inclined to give them prominence.

of CEOs cite malware as the biggest threat to cybersecurity, compared with only 35% of TOs

WSJ. Custom Studios is a unit of The Wall Street Journal advertising department. The Wall Street Journal news organization was not involved in the creation of this content.

COMPROMISED IDENTITY, NOT MALWARE, IS THE PRIMARY THREAT The CEO response to cybersecurity is misaligned with reality. In the survey, 42% of TOs pointed to identity breaches as one of the primary threats to their organization’s success compared with only 35% citing malware. And this understanding is backed up by other cybersecurity research. For example, the Verizon 2017 Data Breach Investigations Report found that “81% of hacking-related breaches leveraged either stolen and/or weak passwords.”1 Poor communication between CEOs and TOs is contributing to the disconnect. A case in point: While 81% of CEOs say they are most accountable for their company’s cybersecurity strategy, only 16% of TOs agree, with 78% saying they are themselves most accountable. For their part, 56% of CFOs point to TOs and only 36% to CEOs. While CEOs are ultimately responsible for all corporate strategy and must have an overview of all operations, these findings point to higher than expected tension among these leaders. Who is accountable for cybersecurity strategies?

81% CEOs say they are most accountable for security strategy 78% TOs disagree, saying

they are most accountable

3

1. The Verizon 2017 Data Breach Investigations Report found that “62% of breaches featured hacking.” WSJ. Custom Studios is a unit of The Wall Street Journal advertising department. The Wall Street Journal news organization was not involved in the creation of this content.

COMPROMISED IDENTITY, NOT MALWARE, IS THE PRIMARY THREAT (continued) While overseeing the forest, CEOs may be missing some trees. There is no starker example than this finding: More than two-thirds (68%) of executives from companies that experienced at least one breach with serious consequences say it would most likely have been prevented by either privileged user identity and access management or user identity assurance. That compares with only 8% who point to anti-malware endpoint controls. Other perceptions about cybersecurity breaches are at odds too, amplifying the tensions. CEOs differ sharply with TOs about both the frequency and impact of breaches. Only about half (55%) of CEOs say their organization has experienced any breach, compared with 79% of CTOs. Yet when firms do acknowledge breaches, CEOs are nearly twice as likely (15% vs. 8%) to say they have had serious consequences. This suggests that TOs may be less aware of the broader consequences of a breach, such as losing shareholder value, customers or partners. What would prevent a breach?

68% respond that identity security would have prevented serious breaches with significant consequences

68%

4

Only 8% of companies said that anti-malware endpoint security would have prevented the breaches

8%


MISALIGNMENT AND MISINFORMATION ARE LEADING TO MISINVESTMENT The findings call into question how CEOs are using resources to protect their firms. CEOs clearly have the most influence on strategy, including spending priorities, but those spending priorities are out of line with actual risks: 60% say they expect to invest most in protecting against malware over the next 12 months, compared with only 53% who point to identity breaches as the top priority. Oddly, CEOs still think malware needs the biggest investment, even though 93% say they are already at least “well-prepared” in this area.

60% of CEOs are investing most in malware protection, yet 81% of breaches exploit identity. That should give organizations substantial cause for concern. CEOs who miss real cyberthreats can be overly confident that they’re well-protected, despite what their TOs say about identity breaches. Yet spending still remains strongly aligned with CEO priorities.

5


CEOS MISINFORMED ABOUT SECURITY Other findings support the argument that CEOs are basing their cybersecurity strategies on faulty assumptions. For example, they are much more likely than TOs to say that their company will reduce every type of cyberthreat over the next two years. The difference is greatest for malware, where 49% of CEOs say their firms will reduce this threat substantially, compared with only 28% of TOs. The CEO viewpoint seems to mirror their spending priorities and reflects a kind of cognitive dissonance. Because they emphasize malware spending, CEOs believe that’s where the risks will go down, even though most day-to-day breaches aren’t caused by malware — no matter how dramatic the headlines about them may be. There is also a delta between CEOs and TOs over the kinds of evidence they think it would take to shift cybersecurity priorities. Of those who say their organization doesn’t see compromised credentials as a significant threat, 56% of CEOs say that it would take a major breach within their organization to change that, while 51% point to media coverage of a breach in another firm. This compares with 51% of TOs (vs. 38% of CEOs) who tend to rely more heavily on evidence-based research about risk levels. What would it take to shift your cybersecurity priorities?

56% 6

56% of CEOs say that it would take a major breach within their organization to see compromised credentials as a significant threat 51% point to media coverage of a breach in another firm

51%


REPUTATION: AN IMPORTANT PART OF THE BUSINESS CASE In building a persuasive business case for spending more on cybersecurity, CEOs place the most emphasis on reducing the cost of a breach (55%) and improving shareholder value (45%). TOs share those concerns but they tend to place greater weight on protecting brand reputation (52% vs. 35% of CEOs) and security as a competitive advantage (42% vs. 24%). Yet these are factors CEOs should keep in sight. While bottom-line considerations fall to them, they are in danger of being penny-wise and pound-foolish if they fail to consider the impact of reputational damage. TOs are also more frustrated by inadequate security budgets than are CEOs (31% vs. 22%). For their part, however, TOs would do well to understand the overarching implications of the solutions they are proposing for their companies, including areas such as the user experience. Building the right business case — What is most important?

CEOs

55% reduce cost of

breach

45% improve shareholder value 7

TOs 52% brand reputation 42% security as a competitive advantage


REPUTATION: AN IMPORTANT PART OF THE BUSINESS CASE (continued) More broadly, the survey findings suggest that differing perceptions between CEOs and other leaders can be attributed to two key factors:

1

8

2

CEOs are more interested in the broad business impacts of security breaches, such as stakeholder value and shareholder value. As a result, they tend to

CEOs have a bigger interest in protecting the user experience (including customers, partners and employees), so they see solutions

base their opinions on media reports and high-

that interfere with that as a problem. CFOs

profile cases. For their part, TOs are more likely

understand this issue but are more focused on

to perceive technical risks.

technical challenges.


CLEAR THE CEO DISCONNECT Ultimately, then, all C-suite stakeholders would do well to share their perspectives and contribute their expertise on the issue of cybersecurity threats — the only way the organization can get a clear picture of the real risks and deploy resources accordingly. To make that happen, shifts will need to take place.

1

CEOs believe malware is the principal threat to cybersecurity.

CEOs need to change their mindset.

That’s wrong. Compromised identity issues are

cybersecurity spending more directly with the

prevalent — something TOs recognize. CEOs

real risks and high-profile cases. For their part,

would benefit by listening to them because

TOs are more likely to perceive technical risks.

they are more aligned to the real threats and the best way to mitigate them.

9

2

One way to do that is to better align

THE BOTTOM LINE: CEOs NEED TO CONSIDER EVERY CYBERSECURITY RISK THREATENING THEIR FIRMS.

If they downplay the importance of potential identity breaches, they could face another real danger: negative and dramatic headlines focusing on their companies after passwords are hacked and highly sensitive information is made public.


CEO FOCUS ON END USERS CEOs and TOs differ on the aspects of their organization’s cybersecurity strategy that they find most personally frustrating. CEOs are most concerned about controls that fail to maintain user-friendly functionality, impacting employee productivity and customer experience (54% vs. 35%). Reflecting greater CEO concerns about user experience, they are also more likely than TOs to cite multi-factor authentication (MFA) as the most difficult aspect of privileged identity and access management (62% vs. 41%).

This despite recent and massive investment and innovation by identity security vendors, including machine learning, that has dramatically reduced the burden of deploying and managing MFA. This same innovation has dramatically improved user experience, reduced the learning curve and burden for users, and become smarter about when and how to prompt users. This gap likely reflects TOs greater understanding of technical improvements that have enriched the user experience while improving security. To make that happen, shifts will need to take place.

Percentage of respondents citing MFA as the most difficult aspect of privileged identity and access management:

CEOs TOs

10

62% 41%


WHICH ASPECTS OF IDENTITY MANAGEMENT ARE MOST DIFFICULT TO MANAGE? Percentage of CEOs and technical officers who perceive privileged user identity attacks as a significant risk (n=286)

0%

10%

20%

30%

40%

70%

41% 49%

RISK-BASED ACCESS CONTROLS

47% 45%

SHARED ACCOUNT PASSWORD MANAGEMENT

51% 34%

SUPERUSER PRIVILEGE MANAGEMENT

39% 34%

PRIVILEGED SESSION MANAGEMENT

35% 19%

REMOTE IT ADMIN ACCESS

11

60%

62%

MULTI-FACTOR AUTHENTICATION

LEAST PRIVILEGE ENFORCEMENT

50%

27% 16% 19%


CEOs

Technical Officers

SECURITY IS FACING AN IDENTITY CRISIS CEOs continue to believe that malware and other endpoint security solutions are still the answer to protecting their organizations, their data, their customers, and their brand reputations. Yet TOs on the front lines of security know a different reality: identity is the primary attack vector, not malware. Identity breaches — including privileged user identity attacks and default, stolen or weak passwords — are the biggest threat. The disconnect between CEOs and TOs is resulting in misaligned priorities and strategies, as well as misinvestments in cybersecurity solutions, which are weakening security. The status quo is not working. Business leaders need to bridge the communications chasm with their TOs and rethink security with a focus on identity and privileged access. To continue to do otherwise risks exposure to a preventable crisis — Security’s Identity Crisis.

Learn the factors behind this failed defense, why identity reigns as the No. 1 attack vector and what you can do to protect your organization. This ebook helps you avoid a security identity crisis with practical guidance to: • Assess your company’s identity risk

• Implement best practices to reduce your chances of a breach

• Plan path to achieve Zero Trust identity maturity

• Evaluate various approaches to identity solutions

Today’s threatscape calls for a rethink. Security’s Identity Crisis is essential food for security thought. READ THE EBOOK

12


DOW JONES CUSTOMER INTELLIGENCE

RESEARCH METHODOLOGY

As part of the Dow Jones Customer Engine, the Dow Jones Customer Intelligence Unit conducts both bespoke and secondary research on behalf of our brands and our clients’ brands; and through rigorous analysis and our unique perspectives seeks to be a trusted source for relevant, timely and reliable insights.

The statistics cited in this report are from a survey of 800 senior executives conducted in November 2017 by Dow Jones Customer Intelligence (a unit of The Wall Street Journal/Dow Jones Advertising Department), with sponsorship from Centrify. More than three-quarters of these executives are CEOs, CFOs or technical officers (including CIOs, CTOs and CISOs) and the remainder are their direct reports. The companies represented have at least 1,500 employees and over half have more than 10,000 employees. They are positioned across 19 industries in the U.S. and the U.K., and about half report annual revenues exceeding US$5 billion.

ABOUT CENTRIFY Centrify delivers Zero Trust Security through the power of Next-Gen Access. The Centrify Zero Trust Security model assumes that users inside a network are no more trustworthy than those outside the network. Centrify verifies every user, their devices and limits access and privilege. Centrify also utilizes machine learning to discover risky user behavior and apply conditional access — without impacting user experience. Centrify’s Next-Gen Access is the only industry-recognized solution that uniquely converges Identity-as-a Service (IDaaS), enterprise mobility management (EMM) and privileged access management (PAM). Over 5,000 worldwide organizations, including over half the Fortune 100, trust Centrify to proactively secure their businesses.

13
