One of the root causes of all the cybersecurity issues organizations encounter today comes down to the fact that historically cybersecurity has been treated as an afterthought. Applications have been built with little regards to how they should be secured. As a result, cybersecurity controls generally wound up being layered on top of and around applications and processes that otherwise would have been much more secure had even the most rudimentary precautions been taken.
Hope, however, does spring eternal. A new survey of technology and finance leaders conducted by Grant Thornton, a provider of accounting and consulting services, in collaboration with Technology Business Management (TBM) Council finds 75 percent of IT organizations are building cyber security into business strategy. But under the heading of the proverbial glass being only half full, only 50 percent claim they understand the effectiveness of these programs or have put a have a cyber-crisis response plan in place, the survey finds. That makes a little tough for at least half of the survey respondents to cost justify whatever investments they might have made in cybersecurity.Cybersecurity has traditionally been an afterthought, with security being layered around and on top of applications and processes. That's starting to change. Click To Tweet
The good news is spending on cybersecurity is up across the board. A total of 83 percent of respondents says they increased cybersecurity spending. Well over half the survey respondents (56%) say they have increased cybersecurity spending somewhere from one to 40 percent. Another 39 percent say cybersecurity spending has increased somewhere between 40 to 100 percent. Naturally, based on whatever the survey respondent might have been spending previously it’s hard to say how much those increases represent in real dollars. There’s also no correlation between the amount of money spent and the level of cybersecurity achieved. But the survey does suggest significant progress is being made, especially in terms of embedding cybersecurity controls directly within business processes.
The survey, however, also suggests none of that progress is coming easily. Nearly three quarters (72%) cited increased sophistication of cybersecurity threats as a major obstacle, followed by emerging technologies (52%), inability to attract and retain top-flight talent (38%); limited pool of qualified security experts (35%; and lack of adequate funding (28%). None of those issues necessarily would come as a surprise to cybersecurity professionals, but the fact that senior IT and finance executives recognize the extent of the cybersecurity challenge is at the very least heartening.Recent cybersecurity reveals that significant progress is being made in terms of embedding cybersecurity controls directly w/in business processes.Click To Tweet
In the meantime, cybersecurity professionals would be well advised to be proactive about discovering what applications are being developed. Trying to secure an application after it has been built is a fool’s errand. Cybersecurity professionals need to make sure developers are well-aware of what security controls need to be embedded in their applications. The good news is senior IT and finance leaders are more aware of the requirement than ever. The bad news is they are not always consistent in terms of sharing those concerns with developers. Cybersecurity professionals need to do some sleuthing of their own to make sure there isn’t some development project somewhere that will later create a potential raft of problems. Waiting for someone in management to remember to tell the cybersecurity team about a project is an almost guaranteed recipe for failure. In fact, many of those same senior managers would say it’s the responsibility of the cybersecurity team to know what’s going on within the organization regardless of whether they are formally told or not. That may not necessarily seem fair, but in truth most organizations rarely are.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.