Failed security controls cost businesses billions

A new report finds 61 percent of organizations have suffered a security breach in the past year because their policies, governance, and controls failed or were not working effectively. This is costing US businesses $30bn and UK businesses £10bn per year.

The study from security posture management firm Panaseer surveyed 400 security decision makers across the US and UK and found 72 percent have taken out indemnity insurance in response to growing personal liability, whilst 15 percent have considered leaving the industry.

In addition, 85 percent of decision makers are facing greater scrutiny from the board. 57 percent say they are constantly being asked to provide assurances, but lack the trusted data they need to supply them -- while only 55 percent are fully confident that data presented to senior management and the board is fully accurate.

"In the wake of highly publicized attacks -- such as the SUNBURST SolarWinds breach -- regulators like the SEC are enforcing criminal charges and stringent rules on CISOs, who are under a corporate sword of Damocles. Their feet are being held to the fire by boards and regulators, but they lack the data to provide accurate insights that would help hold the business accountable. After all it’s business risk, not CISO risk," says Jonathan Gill, CEO at Panaseer. "Some CISOs have been forced to plaster over the cracks with personal indemnity insurance. But this treats the symptoms without addressing the causes. If this blame game culture continues whilst CISOs are left powerless to provide accurate assurances, many will leave the industry -- either of their own volition, or at the behest of courts."

The findings show 75 percent of security leaders feel they have greater personal liability for security failures now compared to two years ago. Most (72 percent) think this is at least somewhat fair, with 44 percent saying it will be a good thing, as it will lead to higher standards in the industry -- and 47 percent saying it has made them even more cautious. However, 28 percent think it's unfair that CISOs and security leaders can be held personally accountable for security failures, with 23 percent saying it makes them 'angry' that they should have personal risk around security failings.

One of the major issues outlined in the report adding to security leaders' trepidation is the extra reporting pressure security teams are under, with 72 percent saying that if their team could spend less time on reporting they would prevent more breaches.

"While other business units are empowered with specialized tools -- like SAP and Salesforce -- to enable data-driven insight, CISOs are often left to make do with disparate tools and no single, trusted view," adds Gill. "We need to even the odds, giving security leaders a system of record that offers a transparent view of every asset within an organization. Armed with this golden source of truth, CISOs are empowered to provide assurances, report risk in good faith, discover gaps in security and plug them before a security incidents take place, protecting both themselves and their company."

You can get the full report on the Panaseer site.