Smart data, Anne-Tania Desmettre,
Cyber incidents are on the rise. Global insurance and reinsurance brokerage giant Aon listed 3,718 worldwide in the first half of 2019. This number of cyber incidents is already above the levels of the entire 2015 (3,391) and 2016 (3,252). The severity of the claims is also on the rise.
The continued rise in security breaches is at odds with new European legislation, which imposes a much higher level of vigilance on past practices. It is clear that there will be no slowing down in the use of digital technology in our personal and professional lives. Companies will continue to collect and exploit an ever-increasing amount of personal data. The combination of these two factors can only lead to an increased risk of security breaches.
It is therefore incomprehensible that companies do not manage to take the full measure of the digital context. Why are they still failing? There are three main reasons: a cultural problem, a lack of organization and a poor understanding of data.
Security neglected by senior management
First of all, from a cultural point of view, the CISO is often the only person in the company to deal with security issues. General management is not interested in security. On the one hand, it is probably considered too technical a subject. On the other hand, since they do not have the technological skills to deal with it, General Management blindly refers to the isolated CISO.
"Today, companies only spend 2% of their overall IT budget on data and network protection. This is not enough."
The second major reason, from an organizational point of view, is that in order not to be isolated, the CISO should have his own unit and report directly to the CEO. This separation of powers would force the CEO to listen to and understand the risks and issues related to security breaches, and therefore, to be fully responsible for the decisions and budgets committed. According to Canalys, companies today only spend 2% of their overall IT budget on data and network protection. A very insufficient percentage.
Finally, in terms of understanding data, as long as companies do not treat data as a subject in its own right and as equivalent to the company's strategic products, there is no global approach to data exploitation, including security issues.
A lack of shared accountability
Data security concerns us all. There is a lack of accountability in the uses of social networks. There is a lack of shared accountability between citizens and businesses because of the abstract nature of cyber security. Since the lack of security is not physical at first glance, the great difficulty of this subject is that it does not generate a feeling of insecurity, except perhaps, for companies that have been confronted with it.