Deloitte: In Romania, information security officers are struggling their way up on CEOs' agenda

Worldwide, information security and cyber resilience are becoming fundamental business issues

Amid an accelerated pace of technology development and increasing risks and cyber threats, security issues need to be addressed with long-term strategies and specialized teams. This means dedicated budgets and a thorough selection of information security officers that have the challenging task of keeping cyber threat at bay. 

"The business significance of information security officer positions has increased in recent years in Romania; companies that few years back did not have an information security open position or expressed limited interest in this topic overall are increasingly aware of the need to address this area of strategic importance,” said Bogdan Petre, ERS Manager. "From experience we can say that this awareness is higher in large companies (multinationals, mostly), since the call for information security function is required by the group policy. Although the information security officer has generally 'stepped out of his office limits' and gained more influence, companies' approach in this area still doesn't match the current high level of risks and cyber threats. Budgets are also limited. Generally, neither the IT team, nor the business is fully aware of the number and severity of current incidents, which cannot fully justify investments or bring bigger budgets in information security management.”

Catalin Tiganila, ERS Senior Manager, added: "Security issues are getting ever more complex, with even traditional methods considered among the safest currently being questioned. For example, in a recent study released by Deloitte, both analysts and top executives in the TMT industries predicted that more than 90% of user-generated passwords  - even those considered strong - will be vulnerable to hacking in a matter of seconds or minutes. Additional forms of authentication including token devices, additional passwords sent through SMS to users' phones, fingerprints and other biometrics, or even 'tap and go' smart cards may be required.”

Deloitte's Enterprise Risk Services practice helps clients to manage risk through a comprehensive range of services designed to help them understand business risks, determine acceptable levels of exposure, implement controls and provide ongoing measurement, monitoring of the risk environment and compliance. 

The ERS team in Romania, with around 20 professionals, provides services of Attestation and certification of IT systems, General Computer Controls Assessment, Contract Risk & Compliance, IT Risk Management, Advisory and Audit on Information security and IT service Management standards and Security & Privacy Services.

Clients include top companies in major industries and state entities. 

Increased global awareness

According to the latest Deloitte Touche Tohmatsu Limited (DTTL) TMT Global Security Study, executives at the world's largest Technology, Media and Telecommunications (TMT) companies have replaced compliance with implementing a 2013 security strategy and roadmap as the number one driver for improving information security. The study also reveals that companies are starting to recognize information security to be a fundamental business issue, with companies increasingly focused on cyber resilience, not just security.

The survey, which also identified lack of employee awareness and third party risks as top security vulnerabilities, suggests that TMT organizations should also invest in information security training and awareness for their employees to help mitigate risks from new technologies.

"The question is not if you will be attacked: the question is when and how you will respond,” said Jacques Buith, DTTL Global TMT Security and Resilience Leader. "Effective management of information security risks requires a robust combination of prevention, early detection, and rapid response. Being cyber resilient is just as, or even more, important than being cyber secure alone.”

Partnering for cyber resilience

Additionally, results of the study suggest overconfidence in protection against external threats, with 88 percent of executives not viewing their company as vulnerable. However, when pressed further, more than half of the executives acknowledged experiencing a security threat in the last year. Further, less than half of survey respondents reported having a response plan in place to address a security breach and only 30 percent believe third-parties are shouldering enough responsibility for cyber security. Also, 74 percent of the 121 executives surveyed rate security breaches at third parties as one of their top three threats followed by denial of service attacks and employee errors and omissions.

"No organization is protected 100 percent,” underlines Andrei Ionescu, ERS Director, Deloitte Romania. "Each organization needs to have clear detection and response rules for such situations. Organizations should not only work with their third-party business partners to understand and improve their security practices, they should also engage policymakers, regulators and enforcement agencies and be willing to share their sensitive information to help address the global issue of cyber risk.”

Other major threats identified by respondents include advanced persistent threats (64 percent) and hacktivism (63 percent), new to this survey, which combines social or political activism with hacking.  While more than half of those surveyed gather general intelligence information, only 39 percent gather information about targeted attacks specific to their organization, industry, brand or customers.

People, technology and mobile devices

According to the survey, innovations in technology and the people using these technologies also rank as one of the biggest threats, with 70 percent listing their employees' lack of security awareness as an "average” or "high” vulnerability. Employees without sufficient awareness of security issues may put an organization at risk by talking about work in public, responding to phishing emails, admitting unauthorized people into the organization's facilities.

Additionally, the study finds that new technologies exacerbate the problem. While they can provide powerful new capabilities that may benefit the business, they also introduce new security risks at a faster pace than many organizations can handle. Seventy-four percent of the executives ranked the mobile and bring-your-own-device technology trend as a continued concern but only half of the organizations surveyed indicated that they have specific policies for mobile devices in place.

About the DTTL TMT Global Security Study

The goal of the DTTL TMT Global Security study is to provide TMT companies with insight into the security and privacy challenges and threats that they currently face or will face as an industry. The study is developed based on the results of interviews with security executives of 121 TMT organizations from 38 different countries representing every geographic region. The study surveyed participants from all three TMT sectors and with respondents spanning the full range of revenue categories.

The full report can be accessed at http://www.deloitte.com/tmtsecuritystudy.