Australian CISOs believe CEOs are breaking security rules: Symantec

Nearly three-quarters, or 74 percent, of chief information security officers (CISO) in Australia believe their CEO has broken internal security protocols, either intentionally or unintentionally, a report from Symantec has found. Covering 1,100 CISOs across 11 global markets, the Symantec CISO Survey revealed that CISOs in Australia are also concerned about growing threats to enterprise data in the cloud and their ability to respond quickly to attacks, with 86 percent of those surveyed indicating that ensuring cloud applications adhere to compliance regulations is one of the most stressful aspects of their job.

Respondents said on average, 29 percent of the cloud-based applications used at their companies are unsanctioned — or “shadow apps” — with Australian CISOs kept up at night having to ensure cloud apps meet compliance and regulation. “Security is constantly between a pendulum of being compliance oriented, policy, protocol, governance, or being something protection oriented regarding brand, information, operations,” said Samir Kapuria, SVP and GM of Cyber Security Services at Symantec. “What’s interesting about this is the fact that most CISOs were focused on the compliance side of it, which is pretty indicative of the fact that they don’t feel there’s enough governance and structure in cloud environments.”

While most CIOs believe they are running 30 cloud applications that were sanctioned by the organisation, Kapuria pointed to an example where an organisation discovered over 900 cloud applications had been deployed with almost all unknown to the CISO.
Also of high concern to the CISOs surveyed on cloud security was the threat of data loss, with 34 percent worried about data loss stemming from internal sources. “The board and the CEO don’t necessarily understand the damage that a cyber attack could have in an organisation, but as they’re seeing more and more victims and the catastrophic effect it has had on a business’s reputation, the more we find they’re starting to quickly learn,” Kapuria said.

If a CEO is championing cyber resilience within an organisation, they need to practice what they preach, according to Kapuria. “The overwhelming focus Australian CISOs had on data shows the dependency they have on digital form factors around their businesses. It also is a good highlight that the key currency that’s being measured for many organisation’s assets are in digital form,” he added.