Are CISOs too confident?
CISOs and IT managers may be too confident in their capabilities to ensure their organizations security and defenses against a data breach, according to Courion.
A majority (63%) of IT security managers believe it is ‘easy’ to govern staff access rights and privileges, despite the fact that 42% admitted they either do not have or are unsure of their ability to monitor and prevent breaches caused by accidental or deliberate staff actions.
This overconfidence in the face of an apparent lack of expertise is concerning, given that 1 in 4 of the respondents cited staff failure to follow access policies as the greatest threat to their organization’s data security, just slightly ahead of professional hackers.
The survey also confirmed the pressures IT managers and CISOs face in managing data security, with 45% saying their organisation had suffered a data breach. Any confidence they may exhibit masks fears over job losses (42%), severe reprimands (41%) and demotion (34%) if their organisation suffered a data breach.
And it seems UK IT security executives are looking for help from within the organisation, with mixed results. 43% of respondents feel they could have better relations with human resources in managing staff access rights and a majority (59%) don’t feel confident or are unsure they get enough help to make dealing with insider threats easier.
In fact, a recent separate Courion study into staff attitudes to IT security suggests staff can be ambivalent about how they use their access rights – for example, 39% share work login details with colleagues and 1 in 5 of UK professionals would snoop on sensitive personal data if they have access to it.
Courion CEO Chris Zannetos commented, “Like elsewhere, UK CISOs and IT managers are under immense pressure to prevent data breaches. What’s striking is many are finding it difficult to get the support needed to appropriately address insider threats. IT infrastructures have become increasingly complex as the access needs of users constantly change. This makes it challenging for CISOs and IT managers to understand, and as a result effectively communicate, exactly where business risk lies.
“We recognise the need to help our customers in their efforts to convey critical access-related risk in business terms. Our new service offering, the Access Risk Assessment, gives them the insight they need to begin to proactively identify and eliminate risk,” he added.
The survey polled 100 senior IT security professionals including CISOs in companies with more than 500 employees.