As organizations prepare to head into 2019 it’s apparent that IT has never been more strategic. More organizations than ever recognize they are to one degree or another a software company that happens to provide a service or make something.According to a recent study, cloud computing, cybersecurity analytics, and mobile computing are the highest priorities for cybersecurity investment. ~@mvizardClick To Tweet
But a new report from the global consulting firm EY also makes it all too clear that cybersecurity continues to be approached as a tactical rather strategic issue.
Based on a survey of 1,400 C-level cybersecurity and risk leaders, the frank assessment of the state of cybersecurity from EY finds only eight percent of respondents feel their information security function fully meets their needs. In fact, only 18 percent of respondents say information security fully influences business strategy plans on a regular basis and 60 percent notes that the person directly responsible for information security is not a board member.
On a positive note, 78 percent of respondents at larger organizations and 65 percent of respondents at smaller organizations feel their information security function is at least partially meeting their needs. The survey also finds that most organizations are willing to throw money at their cybersecurity issues. Cybersecurity budgets within larger companies increased this year (63%) and next year (67%). Smaller companies also increased IT spending this year (50%) and next year (66%).
Specifically, the study also reveals cloud computing (52%), cybersecurity analytics (38%) and mobile computing (33%) as the highest priorities for cybersecurity investment. Most organizations (77%) are also seeking to move beyond basic cybersecurity protections to embrace advanced technologies like artificial intelligence, robotic process automation and analytics among others, the report finds.If money and technology could solve the problem, cybersecurity would not be the issue it is today. Something needs to fundamentally change within most organizations. ~@mvizard Click To Tweet
Clearly, senior leaders appreciate the gravity of the situation. A full 70 percent of all organizations (73% and 68% of the larger and smaller organizations, respectively) say senior leadership have a comprehensive understanding of security or is taking steps to improve it. But understanding something and being able to act on it are clearly two different things. If money and technology could solve the problem, cybersecurity would not be the issue it is today. Something needs to fundamentally change within most organizations. That thing invariably comes down to how business processes are constructed.
Most business processes are constructed with any towards making them as efficient and frictionless as possible. Once they are constructed they are then presented to IT teams to secure. Cybersecurity is almost always an afterthought. As more business processes become digital in nature a new approach is going to be required. Each distinct component of a digital business process needs to be secured as it is constructed. A digital business process is only as secure as its weakest link. Asking a team of cybersecurity experts to deconstruct a digital business process to figure out where vulnerabilities might be hiding after its been constructed is both fundamentally inefficient and deeply flawed. As every line of code that makes up that digital business processes gets written, best DevSecOps practices need to be applied to secure each component of the process. That means shifting much more of the responsibility for implementing security controls on to the shoulders of developers as applications and processes are being built. There’s no easy button when it comes to DevSecOps. It requires a fundamental shift in thinking about how applications are built and delivered. But if senior leaders are truly serious about improving cybersecurity, there is no time like the present for the entire organization to learn how to build and maintain a secure digital process.
Barracuda Email Security and Data Loss Prevention solutions can protect your company's Office 365 environment from advanced threats, accidental deletions, and more. Visit us online at http://cuda.co/office365
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.