Beware of Complacency: Maintaining Security Focus is Essential
As cyber threats become more complex, even organizations with mature cyber programs must continue to promote a culture of security and keep an eye on tool sprawl if they hope to stay ahead.
Security remains the number one priority for IT teams, and many of our clients are increasingly confident in their execution capabilities, according to WWT's latest survey of IT leaders.
Yet as cyber adversaries have become more skilled, what once felt like a rapid pace of change in the security landscape has become the new normal. A reality that has put organizations of even the most robust cyber strategy on high alert.
Chris Konrad, WWT Area Vice President of Global Cyber, said, "Given the challenges of operating in today's complex business environment — such as an expanding threat landscape; geopolitical tensions; and the increasing volume, velocity and variety of data — risk management and governance have become critical fundamental business imperatives. Businesses need to move to a more mature position in which risk management is integrated into the DNA of an organization. Risk management is a C-suite priority because it is one of the single most important determinants of business value realization."
Stated bluntly: No organization can afford to maintain the status quo. As one IT executive put it, "Our biggest risk is complacency."
Compliance does not equal protection
When asked about the maturity of various security practices, IT leaders rated regulatory compliance as being the most developed area in their organizations. Complying with various industry and governmental regulations is a necessary foundation of any security program, but that is only the beginning. By moving beyond compliance toward a risk-based approach, CISOs can examine whether credible threats exist to exploit existing vulnerabilities, then prioritize remediation actions based on the potential impact and probability of an attack.
"I would first start with understanding motive," said Mike McGlynn, WWT Vice President of Global Security Consulting, during a recent WWT Experts event. "Why would someone want to attack my organization?"
This gets the organization thinking proactively and creatively. What are the most important or valuable targets (e.g., data, intellectual property, etc.) your organization needs to protect? Once identified, you can begin maturing your security program by:
- Mapping security controls to a best practices framework and identifying gaps and vulnerabilities
- Documenting cybersecurity roles, responsibilities and processes
- Establishing full visibility into the entire technology ecosystem
- Understanding your full security tools portfolio and identifying overlapping capabilities and gaps in coverage
Build a culture of security
Areas where IT leaders reported less confidence in our survey included building a culture of security and maximizing current investments.
Today, protecting your data, assets and applications requires a foundational shift: Putting cybersecurity at the intersection of everything and embracing it as a core element of organizational strategy, culture and growth. Cybersecurity must be elemental to the organizational culture.
While this starts with the board and senior leadership, your CISO should be the lead educator when it comes to managing all digital risks. CISOs should establish a framework to educate all staff, from senior executives to individual contributors.
When CISOs understand the business model and are in alignment with leadership priorities, they can be an enabler of organizational goals and growth rather than a roadblock.
"It's a lot easier to move quickly when you are alone," said McGlynn. "But the reality in cyber is that we don't need to go fast. We need to be consistent, thorough and rigorous, and that requires a level of patience."
Maximize your current investments
IT leaders in our survey were also less optimistic about their ability to maximize the value of current security investments. This mirrors a trend we've noticed over the last several years with organizations purchasing dozens of cybersecurity point solutions with overlapping capabilities. This overlap has an obvious impact on budgets, but it can also take away valuable time from the staff members asked to manage a complex and inefficient mix of tools.
Perhaps most concerning, tool sprawl has the potential to create gaps in security coverage and decrease the effectiveness of your overall cyber program.
As your toolset grows and more applications shift to the cloud, visibility becomes a challenge. And without full visibility into your technology ecosystem, your organization is simply not secure. To chart a path to full visibility, you can initiate a tools inventory by asking and answering:
- What is on my network?
- What is each application and device doing?
- Is that application or device doing what it should be doing?
Then, you can evaluate your toolsets against the NIST Cybersecurity Framework by asking and answering:
- Are all security controls covered?
- Are there any vulnerabilities not addressed with my toolset?
- Are there overlapping feature sets that can be simplified with one tool, or any obsolete tools that can be removed?
Consider working with a partner who can demonstrate in a lab environment how a security solution would integrate into your existing network to help you evaluate new solutions.
The rapid change of pace in the cybersecurity industry is here to stay. Your organization needs pervasive real-time enterprise visibility, granular security control and rapid response capabilities to deliver secure business outcomes.
This report may not be copied, reproduced, distributed, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not limited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior express written permission of WWT Research. It consists of the opinions of WWT Research and as such should be not construed as statements of fact. WWT provides the Report "AS-IS", although the information contained in Report has been obtained from sources that are believed to be reliable. WWT disclaims all warranties as to the accuracy, completeness or adequacy of the information.