Cyber criminals are more sophisticated, and their business models more mature, than corporate boards comprehend, leaving organisations open to attack, according to a panellist at the recent Cloudsec 2016 event in London.
The audience was shown in an earlier session how criminal services are sold via underworld websites around the world. Many are highly professional with extensive support and training packages.
"Boards get it with cyber security, but they don't necessarily get how mature the business model is with online crime. You shouldn't underestimate your adversary," said Rik Ferguson, vice president of security research at Trend Micro.
Darren Argyle, global CISO at financial services company Markit, explained that boards now understand the importance of security but need more detail about the risks from security and technology teams.
"CEOs do get it. That's the challenge, as they're now asking questions about our maturity and the risks," he said.
"My experience is they want to drill down to the next level of detail, asking which parts of the business and which mission-critical assets are more at risk. We need to be better informed as to how to communicate with them and keep it in business terms."
Troels Oerting, global CISO at Barclays, and former head of cyber crime at Europol, agreed that boards are now up to speed on cyber security issues and that security funding has increased with this improved understanding.
"In the early days we had a problem with board-level understanding, but now they're all over it. It's partly because there's lots of regulation in the banking sector," he said.
"They still don't exactly throw suitcases of money at me, but they want to give me what I need because security needs to be good enough to protect our assets, and we need to take our customers' security very seriously."
Ferguson pointed to the appointment of Oerting, with his background in law enforcement, as evidence of the increased level of security awareness at large organisations.
"Organisations like Barclays have now started hiring people like Troels. That didn't happen three to four years ago. He's a walking demonstration that attitudes in the boardroom around recruiting C-level positions has changed," he said.
For the latest in security trends, threats and technologies, come to Computing's Enterprise Security and Risk Management Summit 2016.
The summit will be followed by Computing's Security Excellence Awards, which is open now to entries from vendors and end users.
Instapaper to 'go dark' in Europe until it can work out GDPR compliance
James Robbins of ArrowXL says that AI is no longer 'tomorrow's technology'
Staff told to beware of "unusual sounds" after an employee reported mystery symptoms
Sophisticated malware comprises code previously used to attack Ukraine