Boards don't understand maturity of cybercrime model, warns Trend Micro
Expert panel at event discusses how security and technology professionals should best communicate with and educate the board
Executive boards don't understand how mature cybercriminals' business models can be, and that leaves their organisations at risk.
That's the view of Rik Ferguson, vice president, security research at Trend Micro, speaking at the recent Cloudsec 2016 event in London.
In an earlier session the audience was shown how criminal services are sold via various underworld websites around the world. Many offerings were highly professional, featuring extensive support and training packages.
"Boards get it with cybersecurity," said Ferguson. "But they don't necessarily get how mature the business model is with online crime. You shouldn't understimate your adversary."
Darren Argyle, global CISO at financial services company Markit, explained that while boards now understand the importance of security, they want more detail from security and technology teams on the risks.
"CEOs do get it," said Argyle. "That's the challenge, as they're now asking questions about our maturity and the risks. My experience is they want to drill down to the next level of detail, asking which parts of the business and which mission-critical assets are more at risk. We need to be better informed as to how to communicate with them, and keep it in business terms."
Troels Oerting, global CISO at Barclays (pictured), and former head of cybercrime at Europol, agreed that boards are now well up to speed on cybersecurity issues, and added that security funding has increased with this improved understanding.
"In the early days we had a problem with board-level understanding, but now they're all over it. It's partly because there's lots of regulation in the banking sector. They still don't exactly throw suitcases of money at me, but they want to give me what I need, because security needs to be good enough to protect our assets, and we need to take our customer's security very seriously."
Ferguson pointed to Oerting's appointment - with his background in law enforcement - as evidence of the increased level of security awareness at large organisations.
"Organisations like Barclays have now started hiring people like Troels, that didn't happen three to four years ago. He's a walking demonstration that attitudes in the boardroom around recruiting C-level positions has changed," argued Ferguson.