Only 36 percent of IT security pros believe their company’s senior leadership sees security as a strategic priority, according to a Ponemon Institute report. Why is there such a disconnect between the people with the budget and the ones in the trenches? We asked IT folks for their take. Here’s what they said.
Certain truisms in the IT world have been persistent since the late 20th century. A primary one is that few enterprises test their backup/restore until an actual major crisis is reported, and even then, IT might only make sure the system is still running, rather than determining if it works as it should.
A similar attitude has been applied to security over the past decade or so. Everyone talks about the importance of security, but once you get beyond applying regular updates and securing a network’s perimeter, no one worries until a major breach is reported. Even then, if basic security precautions are in place, enterprises are loath to spend additional money beefing up or significantly upgrading their security unless they have a specific, well-publicized flaw that must be assessed.
Even worse is that as technology changes, so does the security threat. The move to Internet of Things (IoT) devices and edge computing exponentially increases the attack surface IT security must address.
So, let’s take a look at some ideas that can help address the ever-growing security issues that will come as a result of growing the edge and IoT.
Although it is widely acknowledged that cybersecurity is a growing threat, corporate inertia still limits what is being done about it, according to a recent Ponemon Institute report on global megatrends in cybersecurity. The research found that just 36 percent of IT security professionals believe their company’s senior leadership sees security as a strategic priority. That likely means less money is being spent on the technologies and personnel needed to combat security issues, according to the report.
And it gets worse. Even though the Ponemon research found that most respondents (82 percent) expect their workplace to suffer a catastrophic data breach in the next three years, leading to a significant decline in shareholder value, it also shows that boards of directors are not engaged in the oversight of security strategy: Sixty-eight percent of survey respondents said their company’s board of directors is not being briefed on what their organization is doing to prevent or mitigate the consequences of a cyberattack.
The report reveals a worrying disconnect between senior IT leaders and company executives. While most executives presumably understand the need for security within their organizations, there remains some foot dragging when it comes to focusing on protecting the value of the organization.
Until now, IT leaders have mostly dealt with security threats by patching, maintaining, and monitoring systems for anticipated weaknesses. But IT departments are generally under-budgeted and under-staffed, and companies are under pressure to modernize their IT to increase efficiency and lower operating costs. So, in some cases, maintenance chores are not completed, which creates vulnerabilities that can lead to a compromised system.
On top of this, IT professionals are now facing a new threat: their quickly-growing IoT deployments. This explosion in connected devices—from light bulbs to industrial machines—creates more exposed entry points, leaving enterprise networks more vulnerable. For every secured device there may be a handful that have no built-in security. Gartner reports that 6.4 billion connected devices were in use worldwide in 2016, up 30 percent from 2015, and predicts that number will reach 20.8 billion by 2020.
The explosion in IoT deployments is giving attackers a new route to break into companies. A 2018 Trustwave report titled “IoT Cybersecurity Readiness Report” says 61 percent of companies have deployed some level of connected technology over the past year and have had to deal with a security incident related to those deployed devices. Yet only 49 percent of the companies surveyed have put formal patching policies and procedures in place to prevent attacks. Worse, only 28 percent said their IoT security strategy is “very important” to their organization.
One challenge for companies trying to mitigate this risk is the prevailing “silo mentality” inside IT departments, says James Stanger, chief technology evangelist at CompTIA, an industry trade association. Stanger says those in executive management don’t fully understand the risk of cybercrime because there is a lack of good communication between IT leaders and the C-suite and few cybersecurity managers know how to convey the risk to executives in a non-technical way. Similarly, the metrics IT workers use to prove they are reducing risk are not uniform across the industry, he notes.
“If I’m a CEO, I can see that we just spent $200,000 on security controls, but is my IT manager giving me a good enough insight into how that money brought value?” Stanger asks. “I know we haven’t been hacked, but how do I know that money was wisely spent?”
Stanger also says there’s a prevailing “It can’t happen here” mentality inside executive suites. Some companies don’t realize data breaches can happen to them, he explains, and that they can have a serious economic impact. Until a vulnerability hits a company’s bottom line, executives may not feel the need to turn their attention to cybersecurity, despite all the coverage in the news, he says.
Are you ready for the IoT? IDC created a framework that will get you started.
The economic threat of cybercrime continues to grow. A 2018 McAfee report titled “Economic Impact of Cybercrime—No Slowing Down” says the cost of cybercrime has hit 0.8 percent of global gross domestic product, or $600 billion a year, up from 0.7 percent of GDP, or $500 billion, in 2014. The report cites such factors as quick adoption of new technologies by cybercriminals and a growing financial sophistication among top-tier cybercriminals as reasons for the growth.
Amelia Estwick, program manager at the National Cybersecurity Institute at Excelsior College, points to another challenge for companies: a dearth of skilled security workers. Most companies don’t have the budgets to hire dedicated security teams and expect the IT department to manage this task, she says. But IT teams are stretched and distracted, she adds, and spend most of their time on tasks such as maintaining software (patches, updates, etc.) or troubleshooting problems. A report last year from the Ponemon Institute and IBM found that the average time it takes an organization to identify a data breach is 191 days, down just slightly from an average of 201 days in 2016.
Estwick says the nature of the threat to organizations is changing. Previously, businesses faced intentional threats in the form of targeted and untargeted attacks. Now, to leverage costs and efficiency savings, businesses are moving their operational activities to IoT, deploying thousands of devices that are connected to their networks and, in some cases, not being watched. What are the levels of protection around these devices?
Many companies are at the mercy of the IoT device manufacturers, says Stanger. Companies tend to set up the devices and don’t revisit them until there is major breach, at which time they may realize no one has checked on the deployment in, say, a year. And many of these devices have been rushed to market and so may not have very tight security controls, he adds.
Stanger also notes that IT managers are often not taking the time required to properly configure their security tools.
“What I’ve noticed about many companies that have suffered large-scale breaches—companies such as Target and Home Depot—is they all had the appropriate cybersecurity systems in place, but they had not taken the proper procedures to correctly configure those systems,” he notes. “If you ask good security professionals, it takes nine months to a year to get a security system working correctly.”
Another hurdle is the lack of clear financial incentive for company executives, says Brian Lee, an assistant professor at the University of Massachusetts Lowell who focuses on operations information systems in the university’s Manning School of Business.
“What usually happens, from a research perspective, is IT security is not something that clearly improves the company’s profit, so that is why senior management may not put a strong emphasis on it,” Lee says. “But, although it may not immediately improve the profit of the company, it actually improves the productivity and customer welfare, so IT security investments are a necessity.”
This lack of understanding about the way a budget is spent could mean that while a CTO wants more investments in security safety measures, a CEO may say the company has already invested so much and the CTO may feel his or her job may be on the line, notes Stephen M. Byars, associate professor of clinical business communication at the University of Southern California Marshall School of Business.
“The CTO may find him or herself always going to the CEO to ask for more money, given the increasing threat of a cyber-hack, but the CTO doesn’t want to be known as the one department leader in the firm always asking for more money, even though that may be the reality of the circumstances because the threat becomes more sophisticated each year,” Byars says. “But just in terms of corporate governance, no CTO department wants to be the one department head always asking for more.”
With the threat growing more sophisticated and aggressive, the Ponemon report urges business leaders to work with their IT teams to identify potential vulnerabilities, develop an action plan, and invest to protect the value of their organization. According to Ponemon’s research, a business with a strong cybersecurity stance can support innovation and lower the costs it will inevitably incur when responding to data breaches or cybercrime.
To improve readiness, organizations should take such measures as expanding the CISO’s role and responsibility or require frequent audits and assessments of security policies and procedures, the report notes. It also suggests using threat intelligence sharing and performing frequent audits and assessments of the company’s security policies and procedures.
And given that 82 percent of respondents say it’s likely that their organization will experience a data breach caused by an unsecured IoT device in the workplace, the advent of IoT computing gives security professionals an opportunity to completely rethink their security models, says Stanger.
“With IoT, we have a lot of more devices out here and a lot more that have been rushed to market. So you have a lot of companies that are wanting to use these devices but haven’t asked about security,” Stanger says. “The best [devices] are the ones that are built with security in mind.”
According to the Ponemon Institute, the organizations represented in its 2018 cybersecurity report (including more than 1,100 senior IT practitioners in the United States, Europe, and the Middle East and North Africa region) are planning to take the following actions to improve their preparedness for cyberthreats:
Source: Ponemon Institute’s 2018 Study on Global Megatrends in Cybersecurity
This guest blog can also be viewed on the HPE website.