Today, Centrify announced a new research study conducted with Dow Jones Customer Intelligence titled, “CEO Disconnect is Weakening Cybersecurity.” The report sheds light on what’s going on inside the enterprise that’s enabling significant increases in the number of successful, high-profile breaches.
At Centrify, we see Zero Trust Security as the most promising cybersecurity model to emerge in decades, and as the solution to the majority of these breaches. We’ve designed our solutions to help organizations adopt a Zero Trust Security model through a single platform consisting of Identity-as-a-Service (IDaaS), multi-factor authentication (MFA), enterprise mobility management (EMM) and privileged access management (PAM), all working in combination with the Centrify analytics service to leverage machine learning.
Before we can talk meaningfully about solutions, we first must identify the problem in its entirety. In this case, we know the primary cause of breaches is hackers and other bad actors, but it takes two to tango. In order for a successful breach to occur, there must be intent on one side and some degree of unpreparedness on the other.
I want to be clear—this is not a blame game. This is an attempt to understand what’s broken inside organizations that allows bad actors to take advantage. It’s about understanding where the disconnects are so that they can be effectively addressed, and we can move toward a more secure environment.
Misalignment Between CEOs and Technical Officers
According to the report, while CEOs remain hyper-focused on malware, technical officers (CIOs, CTOs and CISOs) point to privileged user identity attacks and misused passwords as the most serious and pervasive threat against their organizations. In fact, while nearly two-thirds of CEOs cite malware as the primary threat, just 35 percent of technical officers agree.
That fairly significant disconnect illustrates the problem: The vast majority of CEOs — who view themselves as the primary owners of their companies’ cybersecurity strategies — remain focused on a secondary threat rather than on the primary attack vector – identity. This is despite numerous reports that suggest otherwise. Verizon’s 2017 Data Breach Investigation Report indicates that 81 percent of all breaches involve weak, default or stolen passwords. That’s up double digits from just the previous year.
To clarify, malware does play a role in many breaches, but it’s often through compromised identities that the malware enters the organization in the first place. And it’s through the compromised identities of privileged users that hackers gain access to the most critical data. The majority of technical officers are absolutely right—the problem, and the priority, is identity.
What We’ve Got Here is a Failure to Communicate
On one side, we’ve got CEOs focused on malware. On the other, we have technical officers focused on identity protection—the latter being indirectly endorsed by 68 percent of executives who claim prior significant breaches against their companies would have been prevented by privileged user identity solutions.
But the debate doesn’t stop with which attack vector deserves top billing—there’s even disagreement over if they’ve been breached. 55% of CEOs say they’ve already been breached, but that number jumps up to a whopping 79% of CTOs who say the same. That means almost one-in-four CEOs is unaware they’ve been breached, either by simply being unaware or by not being informed by their technical officers, placing their organization at significant legal risk as well.
What’s even more interesting: 56% of CEOs say that it would take a major breach within their organization to see compromised credentials as a significant threat. But we already know that almost that many CEOs are aware they’ve been breached, yet 60% are still investing most in endpoint security solutions, not identity.
The result of all this is pretty clear: Investment decisions are frequently made with incomplete data and unrealistic confidence in the ability of anti-malware to protect against breaches. Already inadequate security budgets are then funneled into the wrong areas of cybersecurity, putting organizations at significant and unnecessary risk.
Until CEOs start heeding the advice of their technical officers and the entire C-suite aligns against a common enemy, priorities will continue to be in conflict, budgets will be misallocated, and companies will be ill-prepared to stop most breaches.
Business leaders need to reevaluate top attack vectors, rethink security and come to a common understanding that what’s required is a Zero Trust Security model that verifies every user, validates their devices, and limits access and privilege.
To read more about how the security disconnect in the C-Suite is weakening cybersecurity, download the Centrify study.