Originally published in TEISS, on 24 July 2017

GDPR, security awareness, and cloud security strategy are the top most concerns of security professionals, says a recent survey of 39 CISOs.

While most CISOs believe breach response is a priority, 63% of them focus more on prevention capabilities rather than response.

A survey of 39 CISOs by ClubCISO has revealed that as many as 78 percent of all CISOs consider the GDPR as the top issue, followed by security awareness (74 percent) and cloud security strategy (61 percent).

Responding to the survey, 63 percent of CISOs said that breach response was a major responsibility, but this was contradicted by the fact that 78 percent of company boards focussed on prevention capabilities instead of response.

““In the wake of a growing number of cyber-attacks, an increasingly fragmented (and therefore vulnerable) workforce, and a step-up in the complexity and effectiveness of malware, 78% of company boards still place their focus squarely on prevention capabilities, rather than response,” said Marc Lueck, chairman at ClubCISO.

“At the same time, these same boards contradict themselves by prioritizing breach response very highly. In fact, 63% cite it as a major responsibility of the CISO. In other words, boards want CISOs to clean up the mess after a breach, but they’re not necessarily taking a balanced approach to investing in solutions that enable them to do this quickly and effectively,” he added.

In short, a majority of companies are focussing on tackling visible and perceived security risks as and when they come instead of fixing root causes and security processes. Raef Meeuwisse, author of Cybersecurity Exposed: The Cyber House Rules, said to Infosecuritythat breach response is much more expensive for organisations compared to if security is embedded in systems by design.

He compared the response of company boards with ‘bailing water out of a boat that is riddled with holes’. Companies should fix security holes and vulnerabilities first instead of applying fixes, and this will ensure that symptoms will be permanently addressed.

“The organizations that are coming through the major cyber-attacks unscathed are not doing anything super-clever, but they are applying all the basic and sensible security basics, such as timely patch management, restricted installation (administration) rights, regular back-ups and AI anti-malware,” he added.

A separate survey of CISOs also revealed that as many as 80 percent of organisations in the UK are in favour of cloud adoption despite concerns on long-term security risks associated with the cloud. As many as 37 percent of such organisations have recently launched Cloud computing projects for the first time.

“Quite simply, CIOs cannot blindly trust that public cloud services will work flawlessly and be delivered perfectly at all times. The more responsibility CIOs hand over to providers, without ensuring that established ITSM principles are applied, the more they open themselves up to blame if one of those services fails,” noted Paul Cash, managing partner at Fruition Partners who conducted the survey.

“CIOs should still be managing cloud services internally, rather than abdicating responsibility to the provider. Otherwise they risk losing control, and increasing both cost and risk to themselves and the business,” he added.