“Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response,” according to a new Ponemon Institute research report titled “The Importance of Senior Executive Involvement in Breach Response.”
The study sponsored by HP Enterprise Security Services surveyed 495 senior executives in the United States and United Kingdom to understand their perspective about the importance of executive- and board-level involvement in achieving an effective incident-response process.
I have delivered many speeches citing the need for senior executives and board members to get significantly involved in cybersecurity and data-breach risk management. Ponemon’s findings suggest that too many at the top of corporations are not properly engaged, even though their employees, customers and intellectual property are vulnerable.
Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response. Seventy percent of respondents say poor communications is a barrier and 68 percent of respondents believe organizations do not have the appropriate leadership in place to deal with data-breach incidents.
Senior executives believe their involvement in the incident-response process is necessary. Seventy-nine percent of respondents say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical.
Current incident response plans are more reactive than proactive. Less than half, (44 percent of respondents) characterize their organization’s incident response process as proactive and mature.
Executive level oversight is critical to minimizing financial loss and protecting reputation and brand. How do senior executives view their responsibility when an incident occurs? Senior executives are most concerned about the long-term effects and sustainability of the organization when sensitive and confidential information is stolen. Their focus is on minimizing financial loss and avoiding reputational damage.
Understanding the risk and approving incident response plans should be on the board of directors’ agenda. Seventy-seven percent of respondents say the board should be involved in reviewing risk assessments followed by approving the incident response plan (69 percent). Receiving regulatory and compliance updates (68 percent) and approving insurance coverage (66 percent) are other areas in which the board should be engaged.
From the perspective of a senior executive, what makes a data breach significant? In the context of this research, a material breach is one that requires more resources to resolve in order to minimize financial loss and reputational damage.Fifty-seven percent of respondents say the lost or theft of more than 10,000 records containing confidential or sensitive information constitutes a significant data breach.
Negligent and malicious insiders are considered the biggest security risks.Senior executives are more concerned about the threat within than with external risks caused by cyber criminals and hacktivists. Forty-two percent of respondents say they worry most about negligent insiders followed by 25 percent who say they are concerned about malicious insiders.
Incident response should focus on understanding the cause of an incident and addressing the negligent insider risk. Forensics investigations are key to responding to a breach (86 percent of respondents) followed by training and awareness of employees (81 percent)—probably because of executives concern about negligent insiders.
Mark’s most important: Note to small and large company leadership: Get involved in cybersecurity from top to bottom because it’s essential, the right thing to do and it will help mitigate and/or eliminate your risk specific to the 47 state notification laws, FTC Red Flags Rule, and HIPAA HITECH act.
Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at firstname.lastname@example.org.