• Losing Sleep in the C-Suite

    What’s causing cross-industry executives to lose sleep? Read more to learn what risks, threats and trends are considered the most worrisome to today’s top executives.

  • Security Matters to C-Suite

    In our study, nearly three-quarters of executives told us that security threats are now a CEO or board-level concern. Cloud and BYOD were cited by more than one-third of executives who believe they increase security risks for their organizations. IoT was selected by more than a quarter of executives, while less than one-fifth cited SDN.

  • All businesses are potential targets, and the boardroom is beginning to understand just what and how much are at stake. Since 2012, IDC has seen a sharp increase in the frequency, bandwidth volume, and application orientation of attacks. With these types of attacks on the rise, organizations need to be aware of, and take steps to protect their infrastructure from the advanced methods today's attackers use."

    Christian Christiansen, Program Vice President, Security Products & Services IDC
  • Executive Insights – From the Corner Office

    Complementing our ongoing quantitative research, this year Radware launched an inaugural qualitative study to explore the most pressing problems and persistent challenges facing senior information security and technology executives around the globe.
    Targeting CIOs, CISOs and VP-level executives across a myriad of industries, the research reveals that while information security was once the purview of the IT department, it is now on the minds of C-suite executives and a board-level concern. This also illuminates the security challenges and issues executives are wrestling with—and the opportunities they see ahead. More specifically, we probed on a number of questions:

    • Is there anything special about your industry that would make you more at risk?
    • Do you know how many times you have been attacked in the last 12 months?
    • How has handling cyber security threats to your organization changed in the last five years?
    • What are the best measures you’ve implemented in the last 12 months to handle the newest security threats and why?
    • Which of today’s biggest IT trends—Bring Your Own Device (BYOD), Cloud, the Internet of Things (IoT) and software defined networking (SDN)—do executives believe pose the most significant risk for their organizations?
    • What keeps security executives up at night, and why?
    • Are security threats now a CEO or board-level concern in your company?
    • How do you expect the cyber threat landscape to evolve moving forward in the next 12 months?
    • What measures are cross-industry executives planning to implement in the next 1-3 years?

    [The telecommunications] industry has seen a sharp rise in targeted DDoS attacks as well as malware targeting our primary service offering: mobile devices. We've observed many attempts to compromise large numbers of mobile devices in an effort to build a botnet to target our infrastructure and/or the infrastructure of another organization."

    Dannie Combs
    CISM Senior Manager, Network Security
    U.S. Cellular

    The survey garnered responses from corner offices within billion-dollar enterprises across multiple industries—including financial services, government, healthcare, higher education, manufacturing, telecommunications and transportation—in every region around the globe. What follows are some of the most illuminating findings and insights.

    Industry-Specific Risks

    We asked respondents about security threats or challenges affecting their industry—financial services, government, healthcare, higher education, manufacturing, telecommunications and transportation. A number of executives indicated that they do indeed face some specific risks because of the nature of their industry.

    The research suggests that for the financial services industry, the likelihood of cyber-attacks has actually decreased over the past year. Even so, the financial services executives in our study still believe that by its very nature, their industry is high risk. One specifically mentioned the need for comprehensive endpoint management to safeguard financial services organizations.

    Other executives echoed their challenges of safeguarding industry-specific information. Citing the core mission of any community college—“very open public access”—a higher education executive captured one of the central challenges for these institutions. Making educational facilities, information and other resources more accessible to more people can create or compound vulnerabilities around data privacy, particularly when it comes to student records. Similarly, the CIO of a large federal contractor and the Chief Information Security & Privacy Officer of a large health system pointed to the sensitive information—government and medical data, respectively—that they must steward. In both cases, these executives face complex regulations designed to ensure privacy and security of sensitive government and patient information. They also face daunting legal, financial and reputational consequences if their organizations are unable to safeguard the data in their care.

    Looking Back

    We asked executives about how many attacks their organizations had experienced in the last 12 months. Healthcare and manufacturing executives conceded that they do not know how many times their organizations were successfully targeted. By contrast, their peers in the education, financial services, government, telecommunications and transportation industries told us they could quantify their attacks. They credited a number of tools—intrusion detection/protection systems, log files as well as metrics and analytics—with enabling their organizations to detect and quantify attacks.

    For many executives, the past five years have brought significant change in how their organizations handle security threats. Security is no longer a “part-time job,” with most respondents indicating they now have teams dedicated to security. Several pointed to “exponential growth in volume [and] complexity” of attacks, along with greater awareness among senior leaders. A telecommunications executive noted that his company has quintupled investments, increased headcount and restructured the organization to better position security teams to proactively identify cyber security risks, mitigate attacks, conduct forensics and manage compliance obligations.

    We also asked the executives to think about more recent changes: the best measures they have implemented over the past 12 months. Some of the responses reflected a change in communication and training, such as instituting daily review meetings and conducting user awareness training. Others pointed to new technical capabilities, including advanced analytics, intrusion/threat detection and monitoring, secure email, user access control, web browser content filtering and desktop sandbox security.

    According to Dannie Combs of U.S. Cellular, the company has increased headcount and added redundancy to critical security infrastructure. In addition, U.S. Cellular has added new security tools to further enable deep visibility and forensics capabilities—driven primarily, he says, by “the reality that the attack volumes, complexities and frequency have increased year over year.” Meanwhile, an executive for a global player serving government clients reporting separating internal systems from BYOD devices in order to limit entry points for threat vectors. A manufacturing executive indicated that his company has implemented ShareFile to improve the way it controls data.

    Trendy—and Risky?

    We also asked the executives about Bring Your Own Device (BYOD), cloud computing, the Internet of Things (IoT) and software-defined networking (SDN)—four of the most powerful macro-trends shaping the information security landscape.
    As use of smart phones, tablets and other mobile devices has surged, so has the prevalence of BYOD in the enterprise. BYOD offers a number of potential benefits to an organization but can also introduce new and complex risks. At the same time, organizations across sectors are continuing the great migration to the cloud, suggesting that the end of traditional enterprise IT may not be far in the future.

    Two other innovative trends—the Internet of Things and the SDN—have also emerged. The Internet of Things has arisen from the growing prevalence of connected devices—not just computers or smart phones, but also consumer devices (such as major appliances and automobiles) and embedded industrial devices. This growing connectedness may prompt the end of endpoint security and the dawn of entryway security. SDN—which decouples the system that makes decisions about where traffic is sent from the underlying systems that actually forward traffic to the chosen destination—is poised to upend the way networks are managed and secured. In our survey, cloud and BYOD—the two more established trends—were cited by more than one-third of executives who believe they increase security risks for their organizations. The Internet of Things was selected by more than a quarter of executives, while less than one-fifth cited the SDN.

    Losing Sleep: What's Keeping Executives Up at Night?

    Losing Sleep in the C-Suite

    • Financial Services –
      “I only know what I know.”
    • Education –
      “Breach of personally identifiable information and records.”
    • Healthcare –
      “Detecting attacks. [We] cannot do it.”
    • Telecommunications –
      Higher volume and frequency of attacks. “An attack 30 to 40Gbs per second, or larger, would cause an immediate impact to our business.”
    • Manufacturing –
      “Inability to prevent internal threats. Users continue to trust virus/malware emails.”
    • Government Contractor –
      “Breach of personal information—the cost and impact to company name.”

    We wanted to know what’s causing cross-industry executives to lose sleep. What are the risks, threats and trends they consider most worrisome? Even within an industry, responses varied widely, but a number voiced concerns about their inability to detect attacks; “I only know what I know,” as a VP of a major financial institution noted. The Chief Information Security & Privacy Officer of a large hospital pointed to attack detection, admitting that the hospital simply cannot do it. Internal threats—whether borne of malice or ignorance—remain a chief concern for the Chief Technology & Information Officer of a global manufacturer.

    For the Vice Chancellor of IT at a college, breach of personally identifiable information and records was the top concern—reiterating the challenge of keeping data secure in an environment designed to foster easy access. A telecommunications executive articulated his fears around growing volume and frequency of attacks. "An attack 30 to 40Gbs per second, or larger, would cause an immediate impact to our business." And a government contractor's CIO told us he's most worried about breach of personal information and the resulting cost and reputational impact on the firm.

    Looking Ahead

    Nearly three-quarters of executives told us that security threats are now a CEO or board-level concern. Some mentioned negative press coverage as the impetus for greater focus on threats. Others pointed to the potential impact on the business—as well as the need for increased funding and the growing liability associated with cyber-attacks and other threats. In the hospital’s C-suite, executives have taken note of the American Hospital Association’s documentation regarding what boards and CEOs should know about information security.

    Given this growing emphasis on security, we also wanted to know the executives’ thoughts about the future, including specific plans for the upcoming year. When we asked whether respondents expected more attacks, fewer attacks or about the same volume, the response was unanimous: “Expect more attacks.”

    When thinking of future plans, analytics and big Data emerged as themes—underscoring the growing importance of increased security intelligence. A healthcare executive cited plans to implement FairWarning®, while a peer from the financial services industry noted application whitelisting—that is, letting only known programs run—as among his organization’s upcoming plans.