Businesses today accept the presence of cyber risks. In fact, 70 percent assume a business-altering event will occur in the next few years (FutureWatch Report), but often have a more difficult time identifying specific risks, key factors and mitigation strategies. Worse, the board or senior leadership often makes assumptions about the safety of the firms that is overly optimistic when compared to confidence ratings of security practitioners.
The difference between awareness and understanding is driven by the communication gap between the board and executives steering the business, and the security experts close to the problem. Both parties struggle to comprehend the other’s needs and responsibilities.
A firm's risks stem from a handful of business aspects, including the firm’s participation in high-risk industries, its appetite for emerging technologies, and willingness to properly invest in targeted security practices. While this sounds obvious at first, it’s lost when the line of sight from the security practitioners to the board is over the horizon.
This article will explore board-level concerns, key drivers to invest in security, and how emerging technologies outpace the evolution of security technologies and services. The data presented in this article was collected in late 2018, through third-party research that surveyed 1,250 security executives, managers and practitioners. Data was collected from the United States, Canada and the United Kingdom. Participants were equally represented across various industries and company sizes, ranging from less than 100 employees to 5,000 employee or more. Read the full FutureWatch Report.
Unanimously, business leaders such as the CEO, board members and technical executives (CIO) alike predict a major cyber-attack in the next two to five years. Over 60 percent of respondents assume a major event will occur. Interestingly, 77 percent of CEO and board respondents consider their organization prepared for such an event. As expected, technical leaders are approximately 20 percent more likely to predict an attack and are 10 percent less optimistic than their business peers in their organization’s preparedness.
Senior leadership fears operational disruption, reputational damage and significant financial losses over regulatory penalties as top consequences of a major security event.
While business leaders show a confidence in their firm’s ability to manage a security breach, the devil is in the details. Only 29 percent of respondents indicated that their high-value or high-profile information is not adequately protected. And two-thirds of respondents are not confident that their cybersecurity programs match their peers, nor that their programs are appropriately resourced.
Boards and security practitioners still struggle to translate their concerns and objectives. Only one-third of business leaders are confident in their security executive’s ability to monitor and report on cybersecurity programs and 66 percent worry that these programs are not aligned to business objectives.
IT and security leadership sentiments echo this concern. Most organizations struggle to show the value of IT security spend to senior management, including status reporting difficulties. Aligning to enterprise risk management confounds over half of businesses, along with the ability to managed external risks with third-party vendors and the growing complexity of regulatory compliance.
On the positive side, progress has been made over the last few years. The CISO is no longer the least interesting person to the board, until they are the most important person. Over half of respondents indicate their board is very familiar with the security budget (51 percent), overall strategy (57 percent), policies (58 percent), technologies (53 percent), and currently review current security and privacy risks (51 percent). Moreover, line of sight from the CISO to the board is more direct. Forty-five percent of security officers report to the board or CEO, 33 percent continue to report to the CIO and a small handful (10 percent) report to a privacy or data officer.
Moreover, nearly two-thirds of security budgets are set to rise in 2019. Spend on the security side is still reactionary. While regulatory requirements is in the basement of the board’s concerns, it tops the list for security practitioners. A security teams spend is generally reactive to client demands, major technology purchases, a major security event or near miss, and the adoption of emerging technology.
IT and security teams find themselves in a difficult position between meeting the demands of the business to adopt emerging technologies that offer competitive advantage, while also carrying the burden of mitigating the risks that come along with new deployments.
Nearly three-quarters of respondents are currently using cloud services or plan to deploy cloud services in the next six months, with financial services, manufacturing and healthcare leading the adoption rate. Only law firms lag in their cloud adoption. Artificial Intelligence (AI), Internet-of-Things (IoT) and Industrial IoT (IIoT) top the list behind cloud.
Cloud security adoption is the priority, followed closely by identity and access management, threat detection and response, and endpoint detection and response. Security Information and Event Management (SIEM) moves beyond a compliance tool and now plays a role in the greater detection and response portfolio.
More than half of telecom, information technology, financial services and manufacturers invested in securing their cloud services. Similarly, financial services, healthcare and manufacturing also emphasize threat detection and response investments. These industries are equally investing in identity and access management as a response to a more distributed workplace. Again, law firms are significantly less likely to adopt these technologies.
Digital transformation is here to stay and brings with it a drive to always evolve and constantly change. Economics demand that vendors constantly improve and offer new features and technologies which outpaces our understanding of the associated risks. We focus on the benefits while assuming vendors have resolved the security issues. For example, cloud technology tops the list of security priorities today, but AI and IoT/IIoT are on track to surpass cloud as the primary risk concern in less than two years.
This challenge will only increase over the coming years as 5G facilitates a ubiquitous mosaic of always connected devices. Risk associated with emerging technologies becomes more concerning as adoption rates accelerate, compressing the time in which organizations and vendors can adapt and develop appropriate security controls and deploy protective solutions.
Law firms lead when it comes to risks associated with external actors and attacks and their ability to report status, show value and meet internal risk standards and regulatory requirements. Transportation and IT firms report higher than average levels of risk. Financial services tend to run just below industry averages across external attacks and internal or industry requirements.
Digital transformation touches every facet of business operation and redefines how businesses engage with their customers. The emerging technologies underpinning this tectonic shift must constantly expand capabilities and adapt to survive in a competitive environment. Current security approaches are not fluid enough to keep pace with adoption of emerging technology and platforms.
Today, most firms identify their primary security posture as leveraging prevention technologies and device management. Firms that leverage a predictive security model such as threat hunting, machine learning, and device analytics reduce their risk by thirty percent. Less than one-fifth of firms identify as predictive. The trend is consistent across all industry segments with financial and healthcare services leading the charge and law firms lagging.
Firms adopting predictive security models are better able to identify never-before-seen threats and have engaged rapid response capabilities to reduce the risk of a business-altering event. Over the next two years, older preventative models drop to less than one-third, while predictive threat hunting will more than double to 40 percent. This trend correlates with the shift in business drivers away from regulatory dominance toward business-centric considerations such as operational disruption, reputational damage, and, of course, financial losses.
Interestingly, advanced firms are more apt to adopt emerging security technologies such as endpoint, threat detection and response, identity access management, and cloud security. Moreover, mature firms aggressively leverage SaaS and are more likely to adopt 100 percent cloud-based security services than firms using a device-management model. Outsourcing is a palatable alternative to recruiting and retaining threat hunting talent from a pool that cannot support the growing demand.
Digital transformation continues to expand a larger and more fluid attack surface from the advanced methodologies used by well-resourced adversaries like organized criminals and nation-state actors. Regardless of industry, businesses operate in a world with ever-increasing accountability to protect their clients’ confidential information, adhere to state legislation, comply with privacy laws and meet the growing complexity of overlapping regulatory obligations.
This triad of risk demands that IT, security practitioners, and leaders align with business governance objectives, while senior leadership acknowledge their role in establishing expectations and providing resources to adequately protect the business, its investors, employees and customers.
We’ve left the world of prescriptive regulations as a measure of security end state. Many organizations recognize that the financial loss associated with operational disruption and reputational damage outweigh the penalties set out by regulators. In the future, organizations will likely move to a perspective driven by their clients. In this state, brand and reputation will form the barometer by which a company’s security performance is ultimately measured. Protecting the client will mean by extension, protecting their data and services, avoiding operational disruption and resulting financial losses.
Author: Mark Sangster, Chief Security Strategist at eSentire
Mark Sangster is an industry security strategist and cybersecurity evangelist who researches, speaks and writes about cybersecurity as it relates to regulations, ethical obligations, data breach incident response and cyber risk management.