In a survey of 113 companies who had suffered a breach 71% of IT practitioners claimed that brand protection was not their responsibility, while 70% do not believe their companies have a high-level ability to prevent breaches.
The research, by Centrify and the Ponemon Institute, found that 67% of chief marketing officers worry about reputation, but 63% of IT practitioners worry about their jobs. For those IT practitioners that had experienced a data breach, the most negative consequences were: significant financial harm (52%), greater scrutiny of the capabilities of the IT function (51%) significant brand and reputation damage (35%) and decreased customer and consumer trust in their organization (35%).
Cybersecurity consultant Dr Jessica Barker told Infosecurity that she felt that the disconnect between IT and CMOs was most interesting, and it shows we still have a long way to go to get joined up working actually happening in organizations and for people "to truly see that cybersecurity is a business issue, not just an IT one."
Speaking on a roundtable to launch the research, Bill Mann, senior vice-president of products and chief product officer at Centrify, said that some organizations do a good job of dealing with breaches, but some do a bad job. Asked if there was not a buy-in from IT into the company culture, Mann said: “There’s a disconnect on what they do on a day-to-day basis and what sells depending on stock price.
“It is not really about strategically running strategies across organizations, and not about more investment in a company, but more about alignment and communication within organizations.”
Mann said that every board meeting should ask ’are we getting better’ and it’s not happening, and he said that from his point of view, companies should be asking and educating all members of staff on the impacts on the brand.
Asked if third-party consultants who were not part of the company were part of the problem, Mann said that this could be improved by being better managing consultants to know what their priorities are. “If you’re an Oracle DBA that’s your world, but how you reach them about what is important and a lot of communications from management are on priorities and that’s even more difficult with outsourcing”, he added.
In an email to Infosecurity, consultant Brian Honan said that in many cases, he finds IT professionals who have a primary focus on technology do not worry about company loyalty. “To them the focus is on the technology and the type of technical projects they may get involved,” he explained.
“The more successful IT professionals and security professionals tend to be those who have an active interest in the business and understand the business goals and strategies of the organization.”
Honan said that if the third party is seen as taking core and/or interesting work away, then IT professionals can feel threatened. “However, if mundane or routine tasks are outsourced or key hard to find skills are brought in, then many see this as an opportunity to focus on interesting projects and to enhance their own skills,” he said. “So companies need to be careful in how they outsource so they get the balance right.”
The research also found that those companies who were breached had suffered a 5% average drop in the stock price.
Mann said: “It’s clearly a blind spot for the C-suite and it’s time leadership recognize that protecting data is no longer just an IT problem, but a bottom-line business concern that needs a holistic and strategic approach to protecting the whole organization.”