back to article Survey finds 75% of security execs believe they are INVINCIBLE

Overconfident security execs may be putting their organisations at greater risk, according to new research. A report by services firm Accenture has revealed that of the 2,000 enterprise security practitioners – representing companies with annual revenues of more than $1bn – three in four were confident in their ability to stop …

  1. tiggity Silver badge

    optional title

    Presumably as they are "execs" it's the usual scenario of them being totally divorced from the reality of what's going on / ability to spout BS & ignore facts also usually a must have exec skill in many companies.

    No irony in the countries spending most on security also being least optimistic about detecting intrusions as they have more of a clue about the threats and thus the limits of their defence / detection methods.

    It's the low spending, optimistic about breach monitoring lot that is ironic ( a bit Dunning Kruger really)

    1. Doctor Syntax Silver badge

      Re: optional title

      "a bit Dunning Kruger really"

      Make that a lot Dunning Kruger. With extras on the side. I posted the other day that paranoia is the prime requirement for sysadmins & DBAs. It should be even more so for security execs. Eternal vigilance is not enough.

      1. chivo243 Silver badge
        Trollface

        Re: optional title

        @Doctor Syntax

        But the difference between "Execs" and IT Sysadmins is that after a breach the Exec is heading down the road to another cushy job and salary, the sysadmin guy might be out of work a bit longer

        1. amanfromMars 1 Silver badge

          If things suck, change them.

          But the difference between "Execs" and IT Sysadmins is that after a breach the Exec is heading down the road to another cushy job and salary, the sysadmin guy might be out of work a bit longer .... chivo243

          Hi, chivo243,

          It seems as if IT Sysadmins are missing the trick of laying a trail of virtual paper which leads to Execs being responsible and therefore unavoidably accountable because of their ignoring of calls from Sysadmins for more expensive/sophisticated resources to defend systems against intrusion/hacking.

          IT aint rocket science, but it sure is complex enough for Execs to not know what trouble they can be easily landing themselves in with the rejection of the simplest of requests ..... squirrelled away to see the light of day later in a zero day they would know absolutely nothing about, until IT floors and buries them in unfortunate information they have direct knowledge of.

          1. Captain Badmouth
            Happy

            Re: If things suck, change them.

            Hi amanfromMars 1, I think someone's hijacked your account or you've stopped taking whatever it is you're normally on....

            1. amanfromMars 1 Silver badge

              Re: If things suck, change them. @Captain Badmouth

              Howdy, Captain Badmouth,

              It is quite remarkable what the tweaking of a few algorithms can do, and there be living proof of it to show.:-)

              1. Anonymous Coward
                Anonymous Coward

                Re: If things suck, change them. @amanfromMars 1

                Well I demand you go back to how you were.

                1. Captain Badmouth
                  Holmes

                  Re: If things suck, change them. @amanfromMars 1

                  They will soon enough, it's something to do with all-hallows eve, for a bet.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: If things suck, change them. @amanfromMars 1

                  Maybe making demands of amanfrommars 1 might be a poor choice.

            2. netminder

              Re: If things suck, change them.

              Speaking of Dunning Kruger . . .

              1. amanfromMars 1 Silver badge

                If things get stuck, change them asap to prevent explosions

                Speaking of Dunning Kruger . . . ..... netminder

                Do you recognise the cognitive bias in yourself, netminder? Or do you deny it attracts/attracted you to share a view here/there?

                Surely you aren't of ye olde school of pathetic and apathetic thought which accepts status quo established practice as the way to secure safe passage forward into the future .... especially whenever its commands in current power controlling systems are so inept and adept at delivering to the present, all manner of chaos and madness and mayhem for the quiet steady fermentation of revolt and mutiny.

                And for those who don't yet know and/or cannot even be bothered to Google an answer .....

                The Dunning–Kruger effect is a cognitive bias in which low-ability individuals suffer from illusory superiority, mistakenly assessing their ability as much higher than it really is.

  2. Anonymous Coward
    Anonymous Coward

    Reasons

    Survey finds 75% of security execs believe they are INVINCIBLE, because they are idiots.

    Or, more likely, they've done the maths, and realised that the cost of getting hacked is far less than the cost of spending money on security counter-measures.

    Patching, secure code, IDS, firewalls, monitoring, multi-tiered defence... it all costs cash.

    Compare to the minor wobble and bounce back on share prices, and ambivalence by most of their customers, and the tiny cost of fines, then they can continue to ignore it and let it happen, then shoot the IT guy.

    So maybe they're the smart ones, sitting pretty, whilst the IT guys are there to be sacrificed.

    1. Doctor Syntax Silver badge

      Re: Reasons

      "Compare to the minor wobble and bounce back on share prices, and ambivalence by most of their customers, and the tiny cost of fines, then they can continue to ignore it"

      GDPR is coming. I suppose there'll still be some execs who'll have to learn the hard way.

    2. Don Dumb
      Go

      Re: Reasons

      @AC - "Or, more likely, they've done the maths, and realised that the cost of getting hacked is far less than the cost of spending money on security counter-measures.

      Patching, secure code, IDS, firewalls, monitoring, multi-tiered defence... it all costs cash.

      Compare to the minor wobble and bounce back on share prices, and ambivalence by most of their customers, and the tiny cost of fines,"

      So let's call their bluff, this is this opportunity we have been waiting for to get stronger enforcement - the government should now say -

      "Well, if you're soooooo confident everything is bulletproof then you won't have a problem with us making the maximum fine for a breach 10% of a company's turnover? I mean, it wouldn't affect you. Would it?"

      1. Doctor Syntax Silver badge

        Re: Reasons

        "So let's call their bluff, this is this opportunity we have been waiting for to get stronger enforcement - the government should now say - "

        Take a look at https://en.wikipedia.org/wiki/General_Data_Protection_Regulation especially the Sanctions section. Not necessarily 10% of turnover but it should concentrate the mind. I look forward to the results of the first few prosecutions.

      2. Tom Paine
        Flame

        Re: Reasons

        Mandatory security audits with fat fines for non-compliance are the way forward. You'd need a turnover or headcount threshold; maybe at the smaller end the requirements are less stringent; you obviously can't audit everyone, every year (and god knows accountancy practices don't have anything like enough clueful people to do decent security audits on their customers), so perhaps you pick the lucky victims at random - say, one in ten firms a year get an audit, or one in 20. Or one in ten get a quick and fairly basic once-over, with one in a hundred, or a thousand, getting a full going over with a fine toothcomb. Mandatory disclosure of results in company annual reports.

        Yes it would be expensive to implement. Yes it would add significant costs to firms. No, it wouldn't guarantee that no orgs could be hacked, or even that orgs who pass a full audit couldn't be audited. But it would be an enormous help -- if for no other reason than that it would become common knowledge that no, you don't get to have overrides for all the dodgy sites blocked on the proxy just because you're senior management, and no you can't have admin writes just because you're in a "creative role" and are a special and unique snowflake. ( << I had exactly this one, this very morning.)

        Of course there's not a whelk's chance in a supernova of anything like it happening outside a few very narrow vertical niches -- systemically important financial servicecs orgs, perhaps, CNI, that sort of thing. (I bet Sainsburys' logistics, distribution and warehousing aren't regarded as CNI by the powers that be, though...)

    3. Tom Paine

      Re: Reasons

      Yeah, for the ankle-biter stuff, you're right -- ignoring the whining of the security nerds is arguably rational. Right up until you get hit by ransomware, or a BEC that costs you tens of millions of pounds. Even in a meganational multicorp that sort of expense leads to a few P45s fluttering out of the HR orders slot.

  3. Captain Scarlet Silver badge
    Mushroom

    completely embedded cybersecurity into their cultures

    That's a lie, every user I have ever tried to teach security methods still leave their machines unlocks basically giving anyone access to whatever they have access to and circumventing most security in place.

    1. MrDamage Silver badge

      Re: completely embedded cybersecurity into their cultures

      Then quickly jump onto their machine, and send out an all staff email, inviting everyone out to lunch at the senders expense.

      Or hit Ctrl-Alt-Del for them, and accidentally change their password whilst locking the machine.

      There are plenty of ways to teach them a hard lesson. Just channel your inner bastard.

      1. Anonymous Coward
        Anonymous Coward

        Re: completely embedded cybersecurity into their cultures

        "Or hit Ctrl-Alt-Del for them, and accidentally change their password whilst locking the machine."

        Changing the password requires typing the old password first...

        We have an unwritten rule in place at my work unit - if someone forgets to lock their computer - the desktop background will be changed to something very NSFW.

      2. Don Dumb
        Go

        Re: completely embedded cybersecurity into their cultures

        @MrDamage - have been in offices which take a very serious line on security. The best way to keep people sharp was to send out an email on their machine to the office telling them they would be bringing in cakes tomorrow.

        When the lax individual returned to their desk to see replies gleefully thanking them for their offer, cakes did usually follow the next day.

        Hot Fuzz made a joke of 'patisserie punishment' but it's actually an effective way to enforce policies which on their own seem too minor for proper big punishments. Sweet food gives a good natured incentive for colleagues to keep people on their toes rather than cover for people.

        An example of a small cost being an effective deterrent, whereas too big a price and it would just become unenforced - "I can't sack them for just that".

        1. Tom Paine

          Re: completely embedded cybersecurity into their cultures

          I too have worked in offices which take a very serious line on security, and sending an email from someone else's account would get you a very unpleasant interview with HR and, for a second offence, the sack.

      3. Captain Scarlet Silver badge

        Re: completely embedded cybersecurity into their cultures

        "Then quickly jump onto their machine, and send out an all staff email, inviting everyone out to lunch at the senders expense"

        I got a verbal warning for that (Seriously!), also frowned because I put large boxes with a word document stating HAHAHA I have control of your machine.

      4. Anonymous Coward
        WTF?

        Re: completely embedded cybersecurity into their cultures

        "Or hit Ctrl-Alt-Del for them, and accidentally change their password whilst locking the machine."

        Errr how do you do that without know their old password?

  4. 0laf
    Trollface

    What's the problem

    It's easy to be 100% secure.

    All you do is redefine 'incidents', 'attacks' and 'events' to be things significantly worse than global extinction or the earth being hit by a black hole.

    After that you have no more notifiable problems.

    1. veti Silver badge

      Re: What's the problem

      You jest, but there's a kernel of truth in this. The report is written as if "breach == armageddon". But we know that's not true, because - again, according to the report itself - companies tend to get breached more than once. Considerably more.

      So relevant questions would be, what do you even classify as "a breach", and how severe, on average, are those that do happen?

      If there's only minor damage, then it really doesn't make sense to throw a lot of resources into preventing them. It's like clocking your stationery supplies. Sure, you can make employees sign out every pencil they take from the cupboard, but I've never heard of anyone doing that because it's self-evidently stupid.

    2. Doctor Syntax Silver badge

      Re: What's the problem

      See my link to the wonkypedia article on GDPR.

      "The reporting of a data breach is not subject to any de minimis standard"

  5. Anonymous Coward
    Anonymous Coward

    Oh FFS..

    About the first thing I hammer into the young ones is a sense of humility.

    The absolute first lesson of ANY, repeat, ANY security training should be that there's always a smarter one out there. Especially the protection business (physical as well as electronic) is known for its rather rapid return of karma: you get cocky, you or your customer/employer gets hurt.

    The second lesson, by the way, is that things WILL get wrong. You WILL get breached, and most likely in the worst and most embarrassing way possible. That means you don't just develop a security model and a risk management posture, you always make sure that you have a PLAN for risk no 1 (which, by the way, must integrate with BCM and media management or you're wasting valuable time when things blow up). Not planning for the worst is IMHO the second sin worth avoiding.

    I encourage pride in one's work, but pride that is linked to quality work, not to attitude. Attitude is lethal in protective services of any description.

    1. Charles 9

      Re: Oh FFS..

      But you simply CAN'T plan for the worst since that would have to be a Game Over; no future to plan for. So a line MUST be drawn somewhere. I believe that's lesson three. No use planning for getting shot in the head, for example.

      1. Anonymous Coward
        Holmes

        Re: Oh FFS..

        Around these parts, getting shot in the head is an actual hazard. While I don't make it easy, it's been discussed, living will and DNR set, yada yada. Back in the day, bullets and larger ordnance was a probability, not just a possibility. As was the fact of providing for my relief (transfer) and perhaps mortality. Disaster planning should be based on a risk-weighted analysis of likely incidents and then assess the tradeoff of various mitigations and the attached costs involved.

        Such a review should be on a continuing basis, generating response strategies as you proceed on in years. Obviously, this isn't a one person job nor should it end. Properly done you get nice documentation of what and how to react and, just perhaps, when the worst happens (your datacenter is a smoking hole), you have a clue.

        And yes, I do apply this even here at home. I'm an engineer. "Murphy was an optimist!"

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh FFS..

          "And yes, I do apply this even here at home. I'm an engineer. "Murphy was an optimist!""

          I think he was also an accountant. It's hard to engineer or disaster plan when you're given a shoestring budget.

          1. Don Dumb
            Alert

            Re: Oh FFS..

            @AC - "I think he was also an accountant. It's hard to engineer or disaster plan when you're given a shoestring budget."

            This. 100%.

            The amount of times redundancy and risk mitigation has been eroded or eliminated by someone declaring the things providing that redundancy and mitigation as "massive waste". Usually these people are accountants or management consultants too motivated to 'find efficiencies'.

            Public services and infrastructure is particularly susceptible for this as every politician wants to "cut down on waste" and every journalist is happy to find examples of "shocking government waste". Something that isn't being used is waste by default right?

            Spares or under used assets are too often seen as surplus rather than providing crucial cover, this counts for even powerstations and medical staff. I fear we'll stretch all our national infrastructure and services thinner and thinner for a few decades then realise (when something bad happens) that we no longer have an infrastructure and the services are unable to cope.

            1. Anonymous Coward
              Anonymous Coward

              Re: Oh FFS..

              Spares or under used assets are too often seen as surplus rather than providing crucial cover, this counts for even powerstations and medical staff.

              We found it greatly helps to make the accountants sign off on the risk that results from not having spares and redundant resources - in other words, accept the responsibility if things go wrong. Amazingly, having to accept the consequences seems to change the evaluation..

  6. You aint sin me, roit

    "report by services firm Accenture"

    I can see it now... chief of security thinks "How can I rid myself of this persistent Accenture salesperson with their thinly disguised sales pitch?"...

    "Oh, we're bomb-proof, completely sorted, no requirement for any additional security services"

    Brush-off successful, no sale for Accenture... company marked down by Accenture as being complacent in security.

    1. Anonymous Coward
      Anonymous Coward

      Re: "report by services firm Accenture"

      company marked down by Accenture as being complacent in security

      To be honest, I have done audit work (not for Accenture) and it changed the way I work now. Audit tends to be done for 3 reasons: for compliance (basically tweaking liability so it points away from the company), to get someone sacked or to improve matters.

      The first two are easy because finding fault in someone else's work is not exactly hard - there are too many variables to balance against a usually far too tight budget. The last reason takes talent.

      A fix-and-fix audit is one that takes insight into company needs, a good knowledge of IT and an eye for solutions that may not always be obvious because you must work where possible within a budget (even if you're given free reign you have to stay within the economic reality of that company or they won't be able to implement it).

      That is the work I do besides rescuing/recovering corporate breach situations, and it's far more satisfying. Yes, it's much harder work than just going through the tick box driven motions, but it leads to results. To me, any audit without a parallel process to fix what is found has no value, but you will also need to be able to defend a position of "it's as good as you're going to get it with your budget" - the very fact that someone requests such an audit is a signal that you're dealing with Someone With A Clue™ which is always pleasant.

      The disadvantage is that it takes people who are far more expensive because it requires a fairly complex mix of skills, experience and, dare I say, attitude (the once mentioned absence of arrogance, for instance), which is maybe why Accenture wouldn't offer you this: lower margins. I've come across audits done by school leavers and, umm, let's just say there were some bulges under the carpet they were bullied into leaving alone..

  7. Mark 85

    Execs...

    If I were on the board, I'd want my Security type in the C-suite to be known for his tinfoil hat. Anyone in security or even IT knows that the black hats are out to get you. It's not paranoia, it's reality.

    Those who believe otherwise are wankers and deluded by their life in the Ivory Tower.

  8. Commswonk

    Perhaps not entirely surprising...

    Q1 Are our procedures sufficient to protect us from hostile action?

    A1 Er, no..

    Q2 But that's what we're paying you for! Are you saying that you aren't up to the job?

    A2 Er... it's not like that...

    Lord Sugar (for it is he): You're fired!

    Alternatively...

    Q2 What is needed to make us totally secure?

    A2 Er... I'll ask one of my team who knows the answer.

    Lord Sugar (for it is he): You're fired! And on the way out tell the person who actually knows that he (she) is now Head of Security.

    On balance it is not in the least surprising that security execs are outwardly confident that nothing can go wrong. To quote Donald Rumsfeld "they don't know what they don't know".

  9. Anonymous Coward
    Anonymous Coward

    I Believe It

    75% of Security Execs should be fired.

    Our own Exec has no IT background and is limited to taping up posters in the break room.

    Guess who was dealing with ransom-ware last week? Those bastids must not read our posters.

  10. David 132 Silver badge
    Happy

    I am scared, because apparently I think like Reg editors

    I read the headline in my RSS feed and immediately thought of Boris in GoldenEye.

    Came to the article and was gratified/reassured/creeped-out to see a picture of the same.

    My mind scares me (which is why I try to avoid using it on a day-to-day basis).

  11. kyndair

    does anyone have these peoples names and numbers as I have a bridge in London and a lot of scrap metal in Paris for sale.

    But seriously the first step in getting owned on the net is assuming you could never be hacked, that somehow you are a miracle worker how can defend against all exploits even those not yet publicly released. Layered defences help but even then you can't assume you've covered all the gaps, there will be a blind spot some clever/lucky (part of luck is looking) bastard has found as is selling on to others for a high price.

    1. Charles 9

      Not to mention there could be bypass exploits that allow you to get past multiple defensive layers at once. On a related note, there's always the "golden key" attack: one that gets to the very deepest secrets; these are the "Game Over" types of attacks I'm thinking about. SOMEONE has to have them somewhere; otherwise, you just have a fort without a way in, so if you have to imagine someone WILL attack you, you also have to imagine someone will go straight for the kill.

  12. Anonymous Coward
    Anonymous Coward

    "75% of security execs believe they are INVINCIBLE"

    Sounds like pre 2007/2008 with banksters as masters-of-the-universe... Surely the only certainty anymore, is that nobody and no system is safe...

    1. Rich 11

      Re: "75% of security execs believe they are INVINCIBLE"

      What the report doesn't say is how long they've been in post. I'd guess the mean is somewhat below six months.

  13. Anonymous Coward
    Anonymous Coward

    Isn't this overconfidence down to 4 out 4 not even knowing if they've been hit???

    "the report revealed that more than HALF of security executives admit it can take months to detect sophisticated breaches, and a THIRD of those successful breaches are never discovered at all."

  14. goldcd

    I can't help but think, if I were a security exec

    who answered that question as "non-invincible", there's a fair chance I'd be replaced pretty sharpish with one that could "answer the question correctly"

  15. Lotaresco

    'Twas ever thus

    Executive performance is measured using the wrong metric. For security executives it is measured on a combination of reported incidents (they must produce a graph each month that shows a continually reducing number of incidents), on "making effective use of resources" which means paying people very badly and using as few as they can get away with, then sacking the ones who are good (and expensive) and replacing them with people who are cheap, and finally on ROI which means that some made-up number must be bigger than another number and the best way to achieve that is to slash costs to the bone.

    Given the set-up, how do they meet their objectives? That's easy, don't monitor and under-report whatever you see. I've seen set-ups where the exec has proudly stated that their security processes are so good that they have *never* had a malware event. A quick look at their anti-malware shows that it's a package that has in the past had reviews such as "It would be better to have malware than to have this on your network". Sweep the system for malware using a package that works and... thousands of viruses, Trojans, adware and other garbage detected. The only reason that they thought they were immune from malware was that they had a package that could not detect it.

    I've seen IPS installed and set to passthrough, a shiny box doing absolutely nothing.

    I've seen networks where the management ports of the servers were all tied to the user LAN, in fact the only LAN in the company, because "it's easier".

    If you suggest that there's a better way of doing this, no one wants to know. And the CEO will happily go on national TV to say (a) their networks are perfectly secure and (b) that massive data loss was all the result of some evil, well-resourced foreign power[1] who hacked around all the in-depth security controls[2].

    [1] Colin Thring (14), 21 Gasworks Terrace, Cheam, using his Sinclair QL and a USR modem.

    [2] An eight character password of which only the first four characters are significant that is stored in plain text on a SQL server connected to the internet without a firewall.

  16. Tom Paine
    Megaphone

    Nice press release

    Shame about the report. From the linked PDF:

    "A recent Accenture global survey of 2,000 security executives representing large enterprises revealed that roughly one in three focused and targeted breach attempts succeeded

    How on earth do they think they know how much they don't know?

    This sort of survey is pretty meaningless; they only do them to provide some scary numbers for marketing to use when applying "woo! woo!" to nervous execs in order to frighten them into stumping up for the latest Heston Blumenthal style snakeoil and bullshit custard.

    All of us weary grizzled old security grunts love to feel bitter about tossers making a fortune from the "security industry" without really contributing an iota of additional protection to the global aggregate of infosec fail, but really -- if we're so clever, why aren't we doing it ourselves? I do sometimes wistfully wonder what my life would be like if I'd been borne with the ability to schmooze and bullshit and lacking a conscience or moral framework... I've always fancied an Aston Martin... *sigh*

    When Hammond gave his tougher-than-tough macho man "Cybers? Hammond SMASH dem!" speech the other day I saw someone quoted as bewailing that no-one wants to go into infosec as a career, because they don't realise how well paid and glamorously exciting it is. Well the wedge isn't bad, I suppose, but wherever I've worked -- and I've been through a lot of places in my time -- it's about relentless, grinding misery, the stress of knowing you're really just there as a figleaf for customers and a sacrificial goat in case anything goes wrong; management parroting cliches about the importance of security and then merrily giving the thumbs up to the worst of bad practices, fighting unwinnable wars to get the business to agree to do things more slowly and expensively, with nothing to show for it that they couldn't get from a magic tiger-stone... you will also need a strong Zen buddhist practice, or the stomach and liver of a concrete elephant -- 'cos you'll have a lot of grief to forget. A LOT.

  17. Cuddles

    But how do they know?

    "a third of those successful breaches are never discovered at all."

    Seriously, if they never discover them, how do they know they happened at all?

  18. EJ

    For the 3 of us who haven't seen Goldeneye yet...

    Thanks for the spoiler alert.

    1. Anonymous Coward
      Anonymous Coward

      Re: For the 3 of us who haven't seen Goldeneye yet...

      Don't worry, not missing much.

      Apart from the Atari Jaguar Joypads being used as explosive devices.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon