The level of security built into IT products and services is finally becoming a major selection criterion. A global survey of 1,875 IT and security professionals published by Intel this week finds 73% of respondents are more likely to purchase technologies and services from technology providers that proactively find, mitigate, and communicate security vulnerabilities.
Unfortunately, nearly half the respondents (48%) noted that their current technology providers don’t offer this capability.
Conducted by the Ponemon Institute, the survey is meant to bolster a case Intel is making for more use of the security capabilities built into its latest generation of processors. Two-thirds of survey respondents (66%) said it is highly important their technology provider offer hardware-assisted capabilities to mitigate exploits of software vulnerabilities.
Larry Ponemon, chairman of the Ponemon Institute, said it’s apparent more organizations are demanding greater transparency into how cybersecurity is attained and maintained. Nearly two-thirds of survey respondents (64%) said it’s highly important for their technology provider to be transparent about available security updates and mitigations. Nearly half of respondents (47%) said their technology provider doesn’t provide the level of transparency required.
Nearly three-quarters (71%) also noted it’s highly important for technology providers to offer ongoing security assurance and evidence that the components are operating in a known and trusted state. Slightly more (74%) said it is highly important for their technology provider to apply ethical hacking practices to proactively identify and address vulnerabilities in its products.
Specifically, Intel is advising IT organizations to demand their vendors should:
- Provide transparency about security updates and available mitigations.
- Identify vulnerabilities in its own products and mitigate them.
- Provide ongoing security assurance and evidence that the components are operating in a known and trusted state.
- Enable hardware-assisted capabilities to help protect distributed workloads and data in use, and to defend against software exploits.
Cybersecurity professionals, naturally, have a vested interest in transparency because any issue that is not addressed by a vendor eventually bubbles up to them. The challenge they face is many of the individuals that select IT products and services within an organization don’t often have a great appreciation for security. It’s not that they don’t care about security; rather they don’t know what security attributes to assess.
It’s unlikely providers of IT product and services will ever fully address cybersecurity requirements. They are always trying to strike a delicate balance when it comes to cost. If a rival is gaining share because their product or service is available at a lower cost because it doesn’t include security capabilities, there’s always going to be a temptation to follow suit. One way or another, of course, organizations wind up paying for cybersecurity. The more cybersecurity that needs to be layered on by an internal IT team, the more expensive the total cost of cybersecurity ultimately becomes.
Obviously, cybersecurity professionals might be well-advised to conduct some procurement training as part of an effort to reduce the number of potential incidents they have to clean up later. The challenge, of course, is not only finding the time to conduct that training, but also convincing everyone else in the organization to set aside enough time to actually pay attention.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.