By Jonathan Rusch
Principal, DTG Risk & Compliance LLC
In Greek mythology, the god Apollo gave Cassandra, the daughter of King Priam of Troy, the gift of prophecy, but then decreed that her prophecies would never be believed. During the Trojan War, Cassandra predicted the fall of Troy – even the presence of men in the wooden horse outside the city gates – but was disbelieved, and the city was soon sacked.
Although companies and government agencies may think that they are appropriately attentive to the importance of cybersecurity in their organizations, too many have given their information-security teams the Cassandra treatment. For example, the Democratic National Committee (DNC) ignored a 2015 warning and advice about vulnerabilities in its network before its catastrophic breach in 2016, and the Securities and Exchange Commission (SEC) – which has admonished and even fined publicly traded companies for their cybersecurity deficiencies – was warned for years about its own cybersecurity weaknesses by the Government Accountability Office before the SEC suffered a massive data breach in 2016.
The DNC and SEC are hardly alone in this respect, however. Even if senior management is not affirmatively rejecting warnings from their companies’ information security officers about cyber threats, mid-level managers and cybersecurity experts may be inadvertently or reluctantly giving their organizations’ cybersecurity processes and resources the Cassandra treatment. A 2018 survey by BAE Systems found that 37 percent of mid-sized organizations surveyed were still investigating alerts manually, only 7 percent (equivalent to more than 1,200 U.S. medium-sized businesses) were doing nothing with the alerts they received, and fewer than 20 percent of the alerts that make it through the surveyed organizations’ security tools were actually investigated.
A new survey of more than 600 cybersecurity professionals by the Ponemon Institute provides a fresh opportunity for C-level executives in all types of organizations to assess whether they have been giving their cybersecurity programs the Cassandra treatment. The Ponemon Institute survey, which anti-breach technology vendor Balbix commissioned, provided a variety of findings to support its view that “[t]oo many organizations are struggling to maintain or improve their security posture”:
- 44 percent of those surveyed said that they were not confident that their organizations could avoid a data breach, and 23 percent said that they were only “somewhat confident.”
- 67 percent said that “they do not have the time and resources to mitigate all vulnerabilities in order to avoid a data breach.” In addition, 63 percent of respondents with ineffective vulnerability programs (nearly 60 percent of the total) said that “’inability to act on the large number of resulting alerts and actions’ is problematic.”
- 61 percent said that “they don’t have adequate context on the business impact if a vulnerable asset got breached,” 56 percent said that they were “concerned about their inability to predict where or which assets would be compromised,” and only 40 percent of organizations “even attempt to incorporate business risk into its vulnerability management activities.”
- 60 percent responded that there is “not enough visibility across all IT asset types (especially unmanaged assets [e.g., assets used by third parties]) as a big challenge.”
- 68 percent of those surveyed believed “that staffing is not adequate for a strong cybersecurity posture.”
- Only 15 percent believed that “their patching efforts are highly effective.”
These and other key findings in the Ponemon Institute survey should be the basis for a sustained discussion between business, IT, and compliance executives at C-levels in every organization. That discussion needs to address whether their information-security risk assessments are sufficiently comprehensive and accurate, and whether the current allocations of personnel, technology, and funding are sufficient to provide high confidence that their organizations can withstand a serious cyberattack or coordinated series of cyberattacks.
Damage from cyberattack is not the stuff of Greek myths, but a genuine risk of potentially catastrophic proportions. Companies, agencies, and other organizations that treat their information-security professionals and programs as Cassandras are doing so at their peril.
* * *
Jonathan J. Rusch is Principal of DTG Risk & Compliance LLC, and an Adjunct Professor at Georgetown University Law Center. The views expressed are his own. He may be contacted here.