For many organisations, the IT security glass may seem half empty…
As we continue to enter further into the digital era, technology has become ubiquitous and integral. Not only do we as individuals carry our own powerful hand-held computers to organise and enrich our lives; organisations employ a wealth of complex technology in order to run and manage their assets effectively and efficiently.
However, as we become more advanced, so too do the threats we face. The news is now littered with reports of breaches, many affecting some of the world’s most notable companies and institutions, from British Airways, to Yahoo, through to the German Government and – if some reports around the 2016 US elections are to be believed – potentially even democracy itself.
Many organisations are starting to take notice, and are thus becoming more aware of the threat vectors that exist in our ever-evolving digital landscape. The IT security glass may very well be half empty, though, for any organisations that cannot align advancements in their technology with equally mature cybersecurity postures.
There are three fundamental areas in which organisations can struggle when it comes to filling the IT security glass:
- Complexity of information for the organisation. From threat intelligence, compliance and regulations to security testing and audits, the amount of information that an organisation is required to digest and base investment decisions on is growing. Not only does this impact the level of resources and skills required from the internal IT team, but it is confusing for the extended team of stakeholders. The maze of information and limited visibility across the overall IT infrastructure can leave an organisation vulnerable.
- Unpredictable and ineffective spending. With no clear reporting model, organisations are basing their investment decisions on the results of the latest penetration test or security audit, or on pressure from existing or new regulations in force. This never-ending project-based model doesn’t allow for continuity and intelligent spend over time. The traditional cybersecurity spend becomes a pattern of testing, part-fixing, requesting more budget, spending budget, testing – and repeat.
- Confusing and growing compliance landscape. Between the European Union General Data Protection Regulation, PCI Security Standards Council compliance, Cyber Essentials and ISO standards, the compliance landscape is a minefield for any organisation. Although achieving compliance enables organisations to achieve a level of best practice and is a helpful negotiation tool for budget requests, it doesn’t mean that an organisation is completely protected. The constant changes in regulations also require up-to-date knowledge and skills within the IT team.
Filling the IT security glass
Employing cybersecurity maturity (CSM) is the key to turning the IT security glass from half empty to entirely full. But what exactly is it? CSM is the ability for an organisation to make cybersecurity decisions in a way that considers all relevant factors within a changing technology and threat landscape; the ability to improve defences continuously whilst the organisation operates and transforms.
Organisations that invest in creating a concise and accurate view of their cybersecurity state, and can communicate this clearly throughout the organisation, see the benefits in terms of confidence and more informed, collaborative decision-making around the value of cyber-investment.
Measuring the current state of cybersecurity maturity
There are a few variations and grading scales for measuring CSM, with the most common being the COBIT maturity scale. Recent research using the COBIT scale found that only 22 per cent of IT security professionals surveyed believed their CSM level to be optimised. Almost 20 per cent stated their level of maturity as non-existent, ad hoc or didn’t know.
This growing lack of control and visibility directly impacts how informed and prepared an organisation is to deal with either attempted or successful attacks. If a Chief Information Security Officer (CISO) wants to have an informed business conversation with their executives about risk, they need the same level of confidence in their presentation of cyber-performance data and reporting as the finance director would have in the numbers they bring to the board.
Is IT security going to be more or less of an issue in the future?
So, back to the original question: is IT security going to be more or less of an issue in the future? The answer is entirely dependent on the decisions your organisation makes over the coming weeks, months and years. New technologies – and the risks they present – are only going to become more complex, and so organisations that stand still will see IT security become more of an issue as time goes by. But organisations that take cybersecurity seriously and employ CSM to ensure that they stay on top of the latest developments will find that they can take advantage of disruptive technologies without exposing themselves to unnecessary risk.
Whether your IT security glass is half empty or entirely full is up to your organisation and the strategic cybersecurity decisions it takes. Making positive IT security changes today will benefit you and your organisation for years to come.
Shannon Simpson, cyber security and compliance director, Six Degrees
Image source: Shutterstock/jijomathaidesigners