In the wake of SolarWinds and a string of devastating ransomware attacks, the C-suite is clearly concerned about falling victim to a damaging cyberattack and wants software vendors to be held accountable for the security of their solutions, but a pair of surveys suggest they aren’t taking urgent action to protect their organizations.
In one survey, from Venafi, 94% of executives say there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines. But very few of them have changed the way they assess the security of software they purchase and the assurances they demand from software providers.
In fact, 69% of executives say their companies have “not increased the number of questions they are asking software providers about the processes used to assure the security of their software and verify code.”
The Venafi findings are not an outlier. A Deloitte report found that 86.7% of C-suite and other executives expect an increase in cyberattacks targeting their organizations over the next 12 months. And 64.8% peg ransomware as a cyber threat that will pose major concern to their organizations in the year to come. But, just 33.3% have seen their organizations simulate ransomware attacks to prepare for such an incident.
Disconnect in the C-Suite
Why is there such a disconnect in the C-suite between perceived threats and a demand for accountability on one hand, and inaction on the other? Looking at the Venafi results, Kevin Bocek, VP of security strategy and threat intel at the security firm, said while the growing concern over the threat of software supply chain attacks and call for software vendors “to be more forthcoming about their software hygiene” combined with a measure of accountability are expected, “it is incredibly surprising that not even half of executives (45%) are reevaluating their decision-making in light of SolarWinds, especially considering how few executives are confident they would be safe from the same type of attack in the future.” They should, he said, “be taking this very seriously.”
Part of the problem, Bocek said is, “There is significant confusion as to who owns the responsibility for software pipeline security.”
The report’s findings show that “61% of executives said IT security teams should be responsible for that, while 31% said development teams should be,” he said. “This lack of consensus is hindering code security efforts and exposing companies to SolarWinds-style attacks.”
That’s happening just as “security teams are strapped when it comes to available budget and talent, which makes it harder to purchase new, safer solutions, as well as hold vendors accountable for security,” Bocek said.
In fact, “It isn’t easy for the C-suite to connect the threat back to the business risk and impact; then trying to determine if the threat is likely enough to warrant resources to protect against it,” said Cherise Esparz, CPO, CTO and cofounder at SecurityGate.
Getting security buy-in has always been a challenge for executives, since they may view the problem in terms of costs for new tools or personnel. “It may be a case of spelling out the threat regarding potential losses in a ransomware attack,” said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. “Once you consider the thousands to millions of dollars required to respond to an incident and the potential public fallout, a small early investment can have some actual savings that the C-level should consider.”
As the Deloitte survey shows, ransomware may be top of mind for executives, but bottom of the heap when it comes to taking meaningful action. That could be because awareness simply isn’t where it should be. “Many C-level executives do not yet consider ransomware threats a cross-function business issue for them to be actively involved,” said Chenxi Wang, general partner at Rain Capita, although their “awareness has increased a fair amount – mainly due to the increased media coverage of security breaches in recent times.”
Executive awareness needs to continue on that trajectory. “C-level support is extremely important in preparing an organization to withstand a ransomware attack,” said Wang. “Support from the C-level signifies that the company is serious and committed in its ransomware defense. It also helps to secure the right amount of necessary resources for technology or process improvements.“
“C-Level support is essential to prepare an organization to withstand a ransomware attack because it involves the will to fundamentally change the way legacy IT is conducted – shifting from a set-and-forget preventative security posture, to one that emphasizes resilience by detection and responding to an attack before material damage is done,” said Tim Wade, technical director, CTO team, at Vectra.
“Without top-cover, this paradigm shift in how an organization manages cyber risk will almost certainly die on the vine,” he said.
But “most senior leaders simply don’t know what they don’t know about security,” said Gurucul CEO Saryu Nayyar. “They are reading news about enterprises and even governments paying millions of dollars to get their systems decrypted, and they wonder if the next article will be about their organization.”
Security Through Obscurity
Some C-suiters may be aware but are sticking their heads in the sand, hoping they’ll go unnoticed by attackers. “Security through obscurity. That’s what most organizations believe, or at least hope for,” said Nayyar. “They simply don’t think they will be noticed by hackers if they keep their heads down.”
Tom Garrubba, CISO at Shared Assessments, agrees “many executives still have the mindset that their company is most likely not on the radar for threat actors, and think ‘Why would they want to come after us?’”
That mindset can be a result of “the misbelief that they are not in possession of customer information – so why would they be a target?” said Garruba. “They forget that threat actors deploying ransomware are in the business of corporate extortion – to sell you the decryption mechanisms once they’ve encrypted your data.”
But because cyberattacks, particularly ransomware, are expected to grow in frequency and intensity, C-level executives need to change their tactics and take action. “There is simply no clear guidance for companies on how to address these risks, what preventative measures to take, or who is responsible for securing the software,” said Bocek. “However, it starts with securing the software build pipeline, ensuring that every piece of code and every software update is secure and authenticated. From there, organizations purchasing software must educate themselves on best practices and hold providers to the highest standard possible of transparency and security.”
The C-suite should insist on proper vetting of the software vendors with whom they plan to do business. “There is very little that customers of a compromised vendor can do to protect themselves against these attacks other than vet vendors and take a strong line when evaluating third-party solutions,” Bocek said. “Ensuring that partners comply with the same standards the U.S. government is requiring for vendors is a good start; the private sector needs to be just as secure as the public sector.”
The Answer Lies in Leadership
Traditional software vendors aren’t the only ones that need to be accountable for security. “All businesses should view themselves as software developers as well. “They build, release, and operate software. In doing so, every business has a responsibility to both ensure the software they use and the software they build and release,” said Bocek. “Whether you are a bank, retailer, or logistics provider, you are a software developer and need to protect software developed just like all the ISVs you rely on.”
Part of the answer, though, may just lie in how leadership tackles security issues. “C-level executives who approach the problem of ransomware rationally, ask questions of IT staff and security professionals, and approve and implement realistic mitigation strategies will find their organizations best prepared to detect early and resolve potential ransomware issues,” said Nayyar. “They should stay informed of security/ransomware trends, and understand the costs and implications of system and network loss for ransom.”