Getting the Board On Board with Security

istock 488576971

We are all aware of how much digital transformation is affecting businesses, along with consumers, governments, and society in general. Businesses are now moving to the cloud at an unprecedented rate, access to even sensitive data is immediate and available through a myriad of devices and applications, even mundane devices like washing machines and toothbrushes are connected and internet-enabled, and everyone from toddlers to grandparents are online. 

This evolution is raising some serious questions, such as: What are the social implications of this sort of connectivity? What happens when literally everything is hyperconnected through a ubiquitous global network mesh? And with so much information about our lives floating through cyberspace or stored in massive, virtualized digital data centers, what are the real risks that come with this new digital age? And finally, how seriously do the organizations that manage or process this information take that risk? 

The answer seems to be, not seriously enough. 

Gartner predicts that 60% of digital businesses will suffer major service failures due to the inability of security teams to manage digital risk. And a significant part of the problem revolves around the fact that senior executives and Board members, even in spite of the massive security and data breaches organizations have experienced recently, still don’t see security as a critical business problem. 

This isn’t new. C-suite executives and Board members have always been focused on the bottom line, and security has always seemed to be more of a cost liability than a business enabler. It’s one of those expenses that don’t really show much return, because when security is done right, nothing happens. And when nothing happens for long enough, it’s easy to begin to wonder if all that expense is really worth it. 

In a newly released report sponsored by Fortinet, entitled “Global Enterprise Security Survey”, over 1,800 IT decision makers and CSOs were asked about the security strategies of their organization. And unfortunately, almost half of respondents believe that security is still not a top priority discussion for the Board. At the same time, 77% argue that cybersecurity needs to be a top management priority, and that the Board should put IT security under greater scrutiny before a breach occurs. It’s just that such concerns seem to be falling on deaf ears. 

The truth is, security only seems to get the Board’s attention after a security event occurs, such as when a major attack makes the news or after the organization has experienced an attack. As you would expect, the majority of Boards (77%) demand to know what happened after a security event occurs, and only then are security budgets reviewed or increased. While the result is that 71% organizations report that they are spending more now on security than they did last year, by an average of about 7%, post-breach management is almost always less effective – and more expensive - than prevention. 

And this sort of reactive approach comes at a cost. For 70% of businesses that suffer an attack, IT gets the blame for security breaches, even though resources to stop such an event are only made available after the event occurs. In fact, less than a third of Boards feel that the problem lies with an inadequate investment in security products or solutions. It’s the sort of catch-22 blame culture that can quickly demoralize an IT team. 

There are a couple of bright spots for making security a higher priority, however. Increased government and industry regulations, for example, are helping raise the importance of security with the Board. Over a third of respondents indicated that new regulations, such as the General Data Protection Regulation, which goes into effect in the EU in 2018, heighten the awareness of security at the Board level. 

The other bright spot is the cloud. 77% say the transition to cloud, along with the security resources needed to support it, is a key priority for the Board. Half of organizations say they are planning to invest in cloud security in the next year, and three-quarters of IT leaders believe that their increasing migration to the cloud will continue to make cloud security a priority going forward. 

56% of those surveyed expect to invest in new security solutions and services in 2018. However, digital transformation is only driving a renewed interest in some aspects of security. While securing the cloud is certainly a critical priority, it’s not where most of the challenges currently faced by organizations reside. Increasingly complex and highly elastic networks significantly expand the potential attack surface, and most traditional security deployments are simply not up to the task. 

IoT strategies and newly connected OT infrastructures have now made networks, and the critical resources and data they contain, more vulnerable than ever. As a result, over the past two years nearly half of all organizations reported experiencing a successful malware or ransomware attack, and nearly 4 in 10 experienced a data breach. 

Most of these attacks are not coming through the cloud. 

The vast majority of security events are the result of inadequate security hygiene in the traditional networks. For example, vulnerable devices deployed in critical places aren’t being patched, upgraded, or replaced. The problem is so endemic that cybercriminals have recently reallocated their development resources to post-breach malware development rather than new penetration techniques because they assume that they will be able to simply exploit a known vulnerability to get in. 

In addition, only about half of IT leaders feel confident that they have full visibility and control over employee access, or believe they can adequately enforce IT security policies within their organization. And the solutions they have in place are increasingly inadequate as well. For example, nearly half believe that BYOD and IoT security aren’t prioritized enough as part of their overall security strategy. Which is why most experts predict that more than 25% of all security attacks will target IoT devices by 2020. And OT infrastructure, which has traditionally been isolated, is now being connected to the network and Internet, exposing sensitive and oftentimes fragile networks components to new risk. 

All of this adds additional stress and unprecedented volumes of data needing inspection on already overburdened and far to often isolated security devices. As a result, 52% of IT leaders say they struggle to find solutions that are able to keep up with the growing performance demands of the network. And as experience has shown, when security becomes a bottleneck users start looking for ways to circumvent the problem. 

The reality is that security events represent an ever-increasing burden to today’s digital businesses. But unfortunately, the Board tends not to get involved until things go wrong. CSOs need to take a more proactive stand by not only by explaining the growing risks and impact from increasingly sophisticated cyberattacks, but by also helping Boards see that investing in security can be a business enabler rather than a cost center. Migration to the cloud is a topic the Board does worry about, and capitalizing on that raised awareness can help put security for the rest of the network on the agenda. Hopefully, before the next security event occurs.