Table of Contents
- Nine out of ten organizations reported at least one cyber incident or breach last year
- Why IT leaders are putting more business spin on security spend
- SEC targets cloud, key securities firms in latest regulatory broadside
Nine out of ten organizations reported at least one cyber incident or breach last year
Deniza Cristian
Business Review – Romania
Nine out of ten organizations (91%) reported at least one cyber incident or breach last year, according to Deloitte 2023 Global Future of Cyber Survey, and more than a third (38%) between six and ten events.
The study also points out that the frequency of cyber incidents varies depending on the level of cyber maturity of the organization, more low cyber maturity organizations experiencing over ten events (21%) compared to the mature ones (13%).
In the context of these incidents, operational disruption (58%) is the most significant impact for organizations, followed by loss of revenue, of customer trust and negative brand impact, with 56% of respondents reporting that they suffered related consequences to a moderate or large extent.
Organizations are aware of the importance of planning in creating cyber strategies that effectively mitigate risks and drive business value, as almost two thirds of them (62%) have an operational and strategic plan to defend against cyber threats.
The highly mature ones stand out in this respect, reaching 91%, the study highlights.
Additionally, more than half of the surveyed companies have an annual cybersecurity awareness training among the employees (59%) and a cybersecurity incident-response plan that gets updated and tested annually (58%).
Beyond planning, attracting and retaining the right talent is an important factor in creating successful cyber strategies and companies are taking meaningful steps in doing so, the study shows.
In order to engage, retain and develop existing talent, companies mainly offer access to training and certifications programs (54%), flexible and hybrid working options (50%) and specialized career paths (45%).
The report also shows a clear connection between cyber activities and a series of benefits, including trust.
Link: https://business-review.eu/tech/nine-out-of-ten-organizations-reported-at-least-one-cyber-incident-or-breach-last-year-244163
Why IT leaders are putting more business spin on security spend
Robert Scheier
CIO
Gartner projects that spending on information security and risk management products and services will grow 11.3% to reach more than $188.3 billion this year.
But despite those expenditures, there have already been at least 13 major data breaches, including at Apple, Meta and Twitter.
To better focus security spend, some chief information security officers (CISOs) are shifting their risk assessments from IT systems to the data, applications, and processes that keep the business going.
A new definition of value
For internal enterprise security teams, Kim says to accept that security is a cost center and demonstrate how the CISO manages total cost of ownership over time.
This might include updating CFOs and CEOs on specific cost reduction, such as reducing spend with a security vendor, finding a less expensive product to fill a security need, or improving internal metrics such as the average cost to mitigate a vulnerability, adds Tyson Kopczynski,SVP and CISO at financial services provider Oportun.
Christensen further suggests explaining how security can cut costs or increase productivity.
Kopczynski adds that CISOs can uncover such improvements with questions such as whether their organization is using all the functions in a security tool, if those features overlap with other tools, and whether the organization is paying too much for licenses or for too many licenses.
Ways to maximize value include considering tools that perform multiple security functions, or running penetration tests, attack simulations, or offensive security campaigns that prove a tool can repel high impact attacks, he says.
Understanding business needs
Aligning security spend with business needs starts with understanding what is most important to business managers.
Kim recommends using a “risk = impact x likelihood” formula, and understanding on a scale of 1 to 10 what your most important processes and assets are.
Applying caution with benchmarks
Several CISOs were skeptical about using benchmarks to compare their security spend with others.
That’s because, they say, companies may define security spend differently or have different needs.
Link: https://www.cio.com/article/472730/why-it-leaders-are-putting-more-business-spin-on-security-spend.html
SEC targets cloud, key securities firms in latest regulatory broadside
Derek B. Johnson
SC Magazine
The Securities and Exchange Commission is seeking to broaden the range of companies in the securities market that would be subject to stricter regulations for compliance and integrity of their information systems, while proposing a host of new requirements for those businesses around cybersecurity and their use of third-party cloud providers.
The 465-page proposed rule, which was first announced on Mar. 15, includes updates to more than two dozen existing laws and regulations.
Among the changes would be an expansion of how the SEC defines a covered systems intrusion, a requirement for annual penetration testing of covered systems, new requirements around notifying the commission and any affected parties about a breach, and designate key third-party providers like cloud service providers for participation in annual business continuity and disaster recovery testing.
The new rules could give the SEC greater visibility over cyberattacks on the financial ecosystem.
They would also expand regulatory SCI coverage to Security-Based Data Swap Repositories (SBDSRs), as well as a subset of the 3,500 registered broker dealers who exceed certain size thresholds and clearing agencies that were previously exempt from the heightened rules.
The agency said the new rules are directed at “key market participants,” who “play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities in the event of a systems issue.”
The proposed enhancements would cover any systems or technologies at those firms that support the trading of securities, clearance and settlement, order routing, market data, market regulation or market surveillance, as well as any systems that represent “a single point of failure” in the U.S. securities market.
It would include not just systems owned and operated by those entities, but also ones managed by third parties — like cloud providers — on the firm’s behalf.
The commission also highlight the need for including SBDSRs in particular because of the role these entities play in providing “important infrastructure that assists relevant authorities in performing their market oversight,” such as the collection of market data used by regulators to conduct oversight and enforcement.
Link: https://www.scmagazine.com/analysis/business-continuity/sec-targets-cloud-key-securities-firms-regulatory-broadside