Most IT professionals are generally plagued by the same whistling past the graveyard feeling. They know the IT environments they are responsible for are prone to be disrupted by any number of potential security threats. Despite that awareness, however, most of those IT professionals clearly don’t have anything that remotely approaches a plan for how to respond when one of those potential threats turns into a real living nightmare.
In fact, a new survey of 2,400 IT and security professionals conducted by The Ponemon Institute on behalf of IBM finds 66 percent of respondents say their organization is not prepared to recover from cyberattacks.
A full 75 percent of respondents admit they do not have a formal cyber security incident response plan (CSIRP) that is applied consistently. Among those that do have a plan, 52 percent have either not reviewed or updated the plan since it was first put in place.
Two-thirds of respondents (66%) also confessed to the fact that insufficient planning and preparedness is the top barrier to Cyber Resilience. Another 46 percent of respondents identified the complexity of IT processes as a significant barrier, while 52 percent cited complexity of business processes as a significant barrier.
It would be safe to assume that all three factors are at play in just about any IT organization. Organization inertia coupled with lots of complexity tends to create a recipe for IT security disaster. The paradox that is at work here is that an application becomes more valuable the more it is integrated with other applications. The trouble is that integration is the enemy of security. The more things that get integrated the greater the attack surface that needs to be defended becomes.
In the age of the cloud it’s apparent that integration is now also reaching unprecedented levels of scale. In fact, it should not come as that much of a surprise to find that 41 percent of the survey respondents said the time it takes to resolve a cyber security incident has increased in the past 12 months.
As Ben Franklin once sagely observed “failing to plan is planning to fail.” These days IT teams are judged not just on how well they can defend an IT environment. Everyone knows that some sort of IT security breach is almost inevitable. What business leaders want to know is how long will it take to recover from that security breach. After all, the age of digital business every minute an application or service is not available now directly translates into lost revenues that might far exceed whatever cost a hacker may have already inflicted. In fact, the inability to recover quickly from an attack is more likely to lead to IT dismissals than what may have occurred that enabled the attack to occur in the first place.
There’s naturally a disinclination to plan for failure. But the fact remains there are far too many IT security issues and elements that are beyond the control of the IT department. What is firmly in their control, however, is how that organization should respond to an attack once it’s discovered. After all, most business leaders are at least aware of the risks. They just think the potential rewards outweigh the risks. At the same time, however, they also want to have confidence in the ability of the IT department to minimize potential losses once that risk versus reward equation starts to tip in the wrong direction.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.