Study Commissioned by Palo Alto Networks Also Shows IT Security Chiefs Welcome EU Legislation
Yet Are Worried About Costs and Operational Strains
13 October 2016 – The received wisdom is that European IT security professionals are under overbearing pressure from adversaries when it comes to cybersecurity. Yet a new, in-depth, independent study commissioned for Palo Alto Networks into current attitudes reveals a profession that is more determined and confident than might be expected.
The real tensions in their working life are the difficult conversations IT security managers must have with their senior management bosses on the fallout from attacks. Also highlighted in the report is a need to ramp up systems and processes for the comprehensive breach reporting required in the European Union General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive.
Furthermore, years of cyberattacks have not left IT security professionals reeling; instead they are more experienced and determined to prevent attacks. When asked about the impact of a cyber incident on them, the majority (60 percent) said it provided them with an opportunity to learn from the experience and bounce back stronger; only nine percent said that it would lead to their job termination. Taking a strong preventative posture is the overwhelming strategy with, on average, 65 percent of the IT security budget allocated to it across Europe.
Where IT security professionals are less sure is with their relationships with senior management:
- Senior Managers Confused on Security: After a security breach, nearly a third (32 percent) of IT security professionals report their senior managers expressed confusion about why it had happened at all with nearly 1 in 5 respondents saying senior management blamed the team and 1 in 10 blamed them personally.
- Security Is an Awkward Conversation: Half of IT security professionals (51 percent) find it difficult to highlight possible security system weaknesses for senior management, while the rest (49 percent) find it more difficult to admit something has gone wrong and a breach has occurred. The most awkward conversation is when human failure is a factor (28 percent) ahead of a supplier being to blame (23 percent), and the need for more investment to mitigate future risk (21 percent).
- Involving Senior Managers Backfires: A third of IT professionals regard involving senior management as making matters more difficult. Notably the third most common reason for not reporting an incident was the person who caused it was part of the senior management team.
- EU Legislation to Increase Internal, Managerial Tensions: About half of IT professionals (47 percent) anticipate awkward conversations with senior management about these new breach notification requirements. Although a majority (63 percent) are positive about the legislation’s impact, respondents are concerned it will add unnecessary costs and complications and cause operational strains (56 percent). With the most common reason for not reporting a breach today being that it was too minor – 30 percent of cases – or the IT professional was too busy (27 percent), there are clearly still major challenges to overcome.
Quote
- “The tensions and gaps in understanding illustrated by this study are apparent. As I talk to companies across EMEA, I spend a lot of time helping them determine how IT security professionals and the rest of the senior management team can get closer on cybersecurity issues that are so serious and strategic. Technology can help in simplifying the processes involved, preventing and automating effective responses to incidents. But it’s clear that there needs to be more open dialogue within the senior management team to execute and continually improve on cyberattack prevention strategies.”
- Greg Day, vice president and regional chief security officer, EMEA, Palo Alto Networks
Find a Common Language: Many senior leaders struggle to comprehend cyber risk. Help make it visceral and relevant by defining some clear business metrics for cybersecurity:
- Within your prevention strategy, involve senior leaders in a readiness exercise to test cybersecurity processes so they can understand and are engaged in the issues and risks.
- Emphasize how new regulations, like the GDPR and NIS Directive, raise the bar on corporate responsibility. The need for state-of-the-art cybersecurity has never been greater, but remind the leadership team it is an ongoing, evolutionary journey with no nirvana.
Incidents do happen, so be prepared to respond. However, many can be avoided through focusing on the right key principles, leveraging automation, introducing better education and having a preventative focus.
Learn More
- Security Roundtable features a range of practical strategies that can be implemented to bridge this communication gap and remedy the tensions revealed by our study.
- Learn about the “'State of the Art Paradox” in the blog from Greg Day.
Editor’s Notes
The research was conducted for Palo Alto Networks in August 2016 by market researcher Morar Consulting, which surveyed over 1,000 IT professionals in France, Germany, the Netherlands, Sweden and the U.K.
About Palo Alto Networks
Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization’s most valuable assets. Find out more at www.paloaltonetworks.com.
Palo Alto Networks and the Palo Alto Networks logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.
