The barrage of recent headlines about cybersecurity breaches at prominent companies and government institutions should have at least one silver lining: It will prompt organizations to finally get their security act together.
Or so you would think, but new research indicates that the opposite may be true. NTT Com Security's 2016 Global Threat Intelligence Report found that 77% of organizations say they don’t have a formal security incident response plan in place, a number that is actually up slightly from last year. Most fail to implement basic security measures like patching and updating software. More than 12% of vulnerabilities that NTT log analysis discovered were more than five years old.
What the heck is going on here? I’ll share my own opinion at the end, but I also asked three experts what they think explains the stunning ennui that continues to plague security preparedness.
Wikibon chief analyst David Vellante said overreliance on tools is a big part of the problem. Implementing new technology “demonstrates to management that something is being done,” he said, “but it doesn't get to the root of the problem which is that security should be both a shared responsibility across the enterprise and also an embedded part of risk management.” Organizational issues are tougher to solve than tech ones, and risk management requires time that many business leaders don’t believe they have in these chaotic times.
Longtime CTO Jim Stikeleather agreed that companies spend too willingly on technology — which he called the “visible” element of security – without spending time on two less-visible elements: detecting breaches and putting plans in place to respond to them. What’s more, each breach is unique, making it difficult to find best practices for protection.
You can hire outside expertise, but then “You’re paying for an actuarial risk reduction that is often forgone as budgets get tight,” he said. “There is no one-size-fits-all, no universal best practice and no ‘click here to install’ that takes care of everything.” A complete instant response plan should assign priorities to every element of data and include rigorous detection. And who’s got the time for that?
Stikeleather also suspects there is a bit of the “avoiding the doctor” syndrome at work. It’s better not to know how unprepared you are for a breach than it is to do the work necessary to find out how ugly things really are.
Jon Oltsik stated his views succinctly. “Many organizations are simply overwhelmed by the cybersecurity workload,” said Oltsik, a senior principal analyst at Enterprise Strategy Group. “They are reacting in fire-drill fashion and not spending enough time on assessment, training, planning and strategy.” Putting out fires without priority levels or rehearsed responses “can lead to devastating results.”
The theme that runs through all of these opinions is that cybersecurity isn’t a problem best solved by tools. Preparedness demands time, discipline and tough decision-making, even when those decisions may go against other interests. For example, Stikeleather noted that centralizing data may be a good thing for the business, but it’s inherently less secure.
My own opinion is that the report also masks some good news. Organizations feel less prepared because they’re more aware. Headlines have elevated the importance of cybersecurity, but this is a multi-headed monster that defies simple solutions. Many organizations are in temporary paralysis while they figure out a response. Or at least that’s what I hope.
Paul Gillin writes, speaks and trains marketers and corporate executives to think like publishers. Gillin specializes in social media for B2B companies. He is a veteran technology journalist with more than 25 years of editorial leadership experience. All opinions expressed are his own. AT&T has sponsored this blog post.