CEO’s Overconfidence in Cybersecurity Could be their Undoing

INFO SECURITY MAGAZINE | 13 December 2016 

CEOs’ overconfidence in their organization’s ability to deflect attacks could be exposing global firms to greater cyber risk, according to new research from RedSeal.

The cybersecurity analytics firm interviewed 200 CEOs of global firms, and found over 80% were very confident in their cybersecurity strategy.

This is despite data breach incidents soaring in 2016. In the US alone there have been nearly 1,000 reported incidents this year, leading to the exposure of 35 million records, according to the Identity Theft Resource Center.

In the UK, government figures from May claimed that two-thirds of large firms had been hit with a cyber attack or breach in the past 12 months.

 

RedSeal CEO Survey

CEOs Reveal Cyber Naiveté as Incidents Rise and Losses Mount

Study Commissioned by RedSeal Exposes Significant Disconnect Between CEOs’ Confidence in Defense Strategies and Actual Results, Points to Requirement for Real-Time Measures of Network Security

Download our Executive Summary.


SUNNYVALE, Calif.  –
RedSeal (www.redseal.net), a leader in the cybersecurity analytics market, today released the results of a CEO study, which surveyed perceptions of – and confidence in –  their cybersecurity posture.

The study found that more than 80 percent of CEOs are very confident in their firm’s cybersecurity strategies, despite the fact that security incidents have surged 66 percent year-over-year since 2009 according to PricewaterhouseCoopers’ 2017 Global State of Information Security Survey.

“CEOs are underestimating their companies’ cyber vulnerabilities,” said Ray Rothrock, chairman and CEO of RedSeal. “Their confidence does not square with what we observe. Cyber-attacks are up and financial losses associated with these attacks are increasing dramatically.” Specifically, PricewaterhouseCoopers’ 2015 Global State of Information Security Survey projected that financial losses from cyber-attacks will jump from $500 billion in 2014 to more than $2 trillion in 2018.

Cyber Confidence Based on Out-of-Date Strategies

While CEOs remain confident that their cyber strategies are well equipped to handle the risks facing their company networks, there is a disconnect between their perception and reality. In Oct. 2014, FBI director James B. Comey said that no company is immune from attack. “There are two kinds of big companies in the United States,” he told 60 Minutes. “There are those who’ve been hacked…and those who don’t know they’ve been hacked.”

Yet two years later, the RedSeal study found that half of the CEOs still prioritize keeping hackers out of the network, versus just 24 percent who were concerned with building capabilities to deal with hackers who have successfully breached their network’s perimeter defenses.

“The new cyber battleground is inside the network, not at the perimeter,” said Rothrock. “Firewalls, virus detectors, and malware scans are required to keep out 99 percent of the bad guys, but the one percent who get in can cripple a firm, critical infrastructure or a government agency.”

CEOs Struggle to Assess Their Massive – and Growing – Cybersecurity Investments

The study found that, while 87 percent of CEOs agree that they need a better way to measure the effectiveness of their cybersecurity investments, 84 percent still plan to increase their spending in the next year. A trend reiterated by IDC’s Oct. 2016 prediction that organizations will spend $101.6 billion on cybersecurity software, services, and hardware in 2020, a 38 percent increase from its 2016 spend projections.

“We’ve reached an inflection point where cyber security strategies and investments have underperformed for an extended period of time. Analysts estimate that cyber losses are now growing more than twice as fast as the spend on security,” continued Rothrock. “To stem this tide, CEOs and boards need more effective metrics to understand the real-time health and function of their network, and to more clearly manage and measure their cyber strategies and investments.”

Even though security budgets are at an unprecedented high, nearly three out of four CEOs report the metrics they receive lack meaning or context. Most (79 percent) agree their reports are too difficult to understand, and 87 percent need a better way to measure whether cybersecurity investments are effective. In addition, they cite a lack of timeliness (51 percent) as well as only receiving reports in times of crisis (50 percent) as significant challenges.

Nearly 90 percent of CEOs say they want information – on a daily basis – about their cybersecurity posture and network’s overall health, external threat level, and the resilience of the network.

And while 79 percent of CEOs surveyed strongly agree that cybersecurity is a strategic function that starts with executive leadership versus being a responsibility passed on to the IT team, 89 percent of these same CEOs report reliance on their IT team to make the budget decisions on cybersecurity.

“CEOs project a great level of confidence when asked about their cybersecurity strategies, however their perceptions aren’t in line with reality,” said James Kaplan, partner at McKinsey & Company and co-author of Beyond Cybersecurity: Protecting Your Digital Business. “For years, the IT security industry has operated with the understanding that every organization will suffer a security incident. Given this inevitability, CEOs should be much more focused on building resilience into their businesses so they can maintain operations when the breach occurs.”

Methodology

This RedSeal study was conducted online via independent data collection firm, 72 Point, in September 2016. 200 chief executive officers in the U.S. were randomly sampled, at organizations with 250 or more employees. 42% of respondents were CEOs of companies with greater than 1,000 employees. The survey reached CEOs across a host of major industries, including technology, finance, manufacturing, government and retail. Respondents were invited to the survey from an invitation-only panel of CEOs. The survey and methodology is MRS compliant. To review an executive summary of the results, visit our website.

###

About RedSeal

RedSeal puts power in decision makers’ hands with the essential cybersecurity analytics platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can understand the state of their networks, measure resilience, verify compliance, and accelerate incident response. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, Calif. and serves customers globally through a direct sales and channel partner network.

Experts Debate the Key Points of the Final Obama Cybersecurity Report

TECH TARGET | SEARCH SECURITY | December 7, 2016

The final cybersecurity report for the Obama administration identified six key issues for improving cybersecurity and recommended actions to make positive changes, but experts disagree on the key points and whether the recommendations will be heeded by the incoming administration.

Cybersecurity Pros Tell Trump to Heed Commission’s Recommendations

SC Magazine | December 6, 2016

Cyber industry executives are weighing in on the presidential Commission on Enhancing National Cybersecurity’s  Report on Securing and Growing the Digital Economy identifying several areas they feel the commission nailed when it comes to improving our nation’s cybersecurity and what the upcoming Trump administration needs to focus upon.

RedSeal Responds to the Commission on Enhancing National Cybersecurity Report

“Collaboration is about trust, and sharing information with government can be a tough sell to a skeptical business audience. But we must try to get it right. Sharing intelligence is a key to success. The military knows that.

It can be a key to success in cyber, too. As we work to close the trust gap, let’s also move ahead to set standards and let businesses and other organizations pick best-of-breed solutions for their networks. One size does not fit all.”

– RedSeal CEO Ray Rothrock

 

What is the Commission on Enhancing National Cybersecurity?

The Commission on Enhancing National Cybersecurity, established by President Obama early this year, completed and released its report on Dec. 1, 2016, providing detailed short-term and long-term recommendations to strengthen cybersecurity in both the public and private sectors.

According NIST’s website:
The report emphasizes the need for partnerships between the public and private sectors, as well as international engagement. It also discusses the role consumers must play in enhancing our digital security. The report categorizes its recommendations within six overarching imperatives focused on infrastructure, investment, consumer education, workforce capabilities, government operations and requirements for a fair and open global digital economy.

What does the report mean for the current state of cybersecurity?

RedSeal executives have been quoted in several articles responding on the report’s findings:

How can RedSeal help an organization follow the report’s recommendations?

Even with the billions invested in hundreds of network security products, incidents, breaches, and failures are inevitable.

The most forward-thinking business leaders realize that the best approach is to make their networks resilient. Resilience is the ability to stay in business and minimize damage to your customers, your reputation, and your bottom line when the inevitable incident happens. Even though you can never prevent every attack, a resilient network can prevent an incident from becoming a breach, stopping an attacker in his tracks.

So how do you measure and manage your digital resilience? That’s where RedSeal’s security analytics platform comes in.

 

Goodby SIEM, Hello SOAPA

NETWORK WORLD | November 29, 2016

Security Information and Event Management (SIEM) systems have been around for a dozen years or so. During that timeframe, SIEMs evolved from perimeter security event correlation tools to GRC platforms to security analytics systems. Early vendors such as eSecurity, GuardedNet, Intellitactics and NetForensics are distant memories. Today’s SIEM market is now dominated by a few leaders: LogRhythm, McAfee (aka: Nitro Security), HP (aka: ArcSight), IBM (aka: QRadar) and Splunk.

RedSeal Selected as a 2016 Red Herring Top 100 Global

Cybersecurity and Analytic Software Platform Provider Honored for Second Consecutive Year

SUNNYVALE, Calif.— RedSeal (redseal.net), a leader in the cybersecurity analytics market, today announced that Red Herring selected it as one of its Top 100 Global companies for the second year in a row. This prestigious award recognizes private companies from North America, Europe, and Asia for their innovations and market-leading technologies in their respective industries.

“We’re honored to be recognized by Red Herring for our work helping organizations maximize their digital resilience against potentially crippling cyber events,” said Ray Rothrock, chairman and CEO of RedSeal. “Cyber attacks are an increasingly public and material issue for businesses, government agencies and critical infrastructure operations. In fact, it’s becoming a primary concern of the C-suite, as they recognize there is no such thing as perfect perimeter protection. As a result, we’re seeing massive demand for RedSeal’s ability to measure the resilience of networks, and map cyber investments to results.”

Red Herring’s Top 100 Global list has become a mark of distinction for identifying promising companies and entrepreneurs. Red Herring editors were among the first to recognize that companies such as Facebook, Twitter, Google, Yahoo, Skype, Salesforce.com, YouTube, and eBay would change the way we live and work.

“Choosing the companies with the strongest potential was by no means a small feat,” said Alex Vieux, publisher and CEO of Red Herring. “After rigorous contemplation and discussion, we narrowed our list down from hundreds of candidates from across the globe to the Top 100 Winners. We believe RedSeal embodies the vision, drive and innovation that define a successful entrepreneurial venture. RedSeal should be proud of its accomplishment.”

Red Herring’s editorial staff evaluated the companies on both quantitative and qualitative criteria, such as financial performance, technology innovation, management quality, strategy, and market penetration. This assessment of potential is complemented by a review of the track records and standing of startups relative to their peers, allowing Red Herring to see past the “buzz” and make the list a valuable instrument of discovery and advocacy for the most promising new business models from around the world.

About RedSeal
RedSeal puts power in decision makers’ hands with the essential cybersecurity analytics platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can understand the state of their networks, measure resilience, verify compliance, and accelerate incident response. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, Calif. and serves customers globally through a direct sales and channel partner network.