Winning a bet is one of life’s little pleasures. People make bets all the time. Many people even like to place wagers on the outcome of those bets. The trouble is gambling can become an addiction. What many organizations don’t realize is just how often CISOs and CIOs are now routinely gambling on cybersecurity.
A survey of 500 CISOs and CIOs published this week by Tanium, a provider of endpoint management tools finds 81 percent said they have refrained from making an important security update or patch, due to concerns about the impact it might have on business operations. Over half (52%) said they have done this on more than one occasion. A full 94 percent have made trade-offs among core elements of security hygiene and IT operations effectiveness.It may shock you to see how many CISOs and CIOs are gambling on cybersecurity !Click To Tweet
The survey also revealed that many times CIOs and CISOs are not even aware of the level of risk they face. The Tanium survey finds that due to a lack of visibility 80 percent of the survey respondents said they have found out that a critical update or patch they thought had been deployed had not actually updated some systems.
IT and cybersecurity leaders need to make risk evaluations every day. But the more complex the IT environment becomes the greater the tendency there is to try and minimize disruption. Naturally, every time a CIO or CISO makes that bet and wins, there’s a natural tendency to push their luck. The trouble is with each bet to forego a patch or application update, the risk becomes greater. Some CIOs and CISOs have been known to crack under that pressure. Others, however, become addicted to the adrenaline rush that taking risks always engenders.
The good news is that rather than gambling with cybersecurity there’s now a concerted effort to reduce the stakes. Intel, for example, this week described its ongoing efforts to make it possible to create trusted zones of confidential computing from the edge to the cloud. It may take a while to replace all the inherently insecure systems are deployed across the enterprise, but at the very least new systems have the potential to be fundamentally more secure than their predecessors.New survey reveals a troubling lack of visibility into IT systems. 80% find that critical updates have not been applied as intended/expected upon deployment.Click To Tweet
At the same time, there’s a shift toward building new applications using containers as part of the rise of DevSecOps. While the code inside those containers isn’t any more secure, the containers themselves are much simpler to replace. That will make the processing of patching applications much less disruptive than it is today. Of course, the challenge most cybersecurity teams have today when it comes to deploying containers is that they lack visibility into those containers.
Nevertheless, progress is being made even if it is slow in coming. The goal CISOs and CIOs should be working towards is reducing the highs and lows of cybersecurity. It may seem like replacing existing applications and systems is a costly way to go about solving cybersecurity issues. However, when the stress of gambling on cybersecurity is added to the losses a business will inevitably incur, the cost of those new applications and systems may not seem all that. In the meantime, CISOs and CIOs would do well to remember that no matter how times they win a bet, the odds over the long term are stacked against them.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.