New research shows that cyber security is taking center stage at many organizations. A pessimistic way of looking at this would be to acknowledge that things have gotten so bad with breaches, malware, and other incidents that enterprises have no choice but to focus on security.
Another, more positive way of looking at it is to realize that never before have cyber security programs and leadership been so empowered to help keep systems and data safe from intrusions. In theory, at least, that should mean more access to budget and other resources.
A recent report from the Infosys Knowledge Institute (IKI) at digital services and consulting firm Infosys provides a clear picture of how important cyber security has become.
“In today’s hyperconnected and digitized world, cyber security has become an important strategic imperative owing to the sophistication of cyber crime,” the report said. “Digital businesses require complex and distributed interactions among people, applications, and data— on-premise, off- premise, on mobile devices and in the cloud. The result is an increase in the attack surfaces that are hard to protect and defend.”
The study, based on a survey of 867 senior executives representing organizations from 12 industries across the U.S., Europe, Australia and New Zealand, shows that 83% of the enterprises view cyber security as critical. That’s a high percentage, but it also makes you wonder where the remaining 17% of organizations are at in terms of cyber security.
More than two thirds of the respondents said they have implemented a well-defined enterprise-wide strategy and roadmap for security, and cyber security has become a boardroom imperative at nearly half (48%) of the enterprises. In addition, about two thirds of business leaders (63%) are actively involved in cyber security strategy discussions.
This increased focus on information security comes at a time when threats continue to grow in sophistication and the enterprise attack surface continues to expand to include the cloud, mobile devices and apps, the Internet of Things (IoT), and edge computing.
Threats can emerge from a number of sources and take advantage of several weaknesses on the part of security programs. The top concerns faced by enterprises are hackers/hacktivists (cited by 84% of respondents), low awareness of security issues among employees (76%), insider threats (75%), and corporate espionage (75%).
To help address these threats, organizations are deploying products and services such as security incident management (66%), risk and compliance (66%), and security awareness training (66%).
For sure, cyber security challenges abound. The Infosys report noted that many organizations are finding it difficult to build a security-aware culture and to embed security in their enterprise IT architecture. They are also battling with a shortage of skilled workforce and are unable to keep up with technological advancements.
To overcome some of the security challenges, more than half of the organizations are focusing on adopting integrated security platforms and are working with technology and service integrator partners. In addition, they are also following a series of “soft” methods, the report said. These include training and certifications (cited by 61%), enablement sessions (54%), and creating security awareness among employees (51%).
Network segregation (65%), threat intelligence platforms (57%), and advanced threat protection (55%) are the most commonly implemented security tools.
Among the top trends that will shape the future of cyber security, according to the survey, are artificial intelligence (41%); privacy and personal data protection (35%); and blockchain and deception technologies (33%).
As the enterprise perimeter continues to diminish, the study said, visibility into the environment will get tougher. Operational technology (OT) and the IoT “massively expand the scope of security strategy and operations,” it said. “When a massively distributed fleet of autonomous devices that can make decisions is combined, directly affecting the physical state of people and things, there is a considerable risk to manage.”
This issue is not limited to the CISO and other security executives, but needs the involvement and sponsorship of the leadership and the board, the report said.
The absence of a well-defined cyber security program can cause significant damage to an enterprise’s operations, reputation, and financial condition. In fact, it can threaten its very existence, Infosys noted.
Although an organization might have the best tools and services for detection and prevention, eventually, a motivated attacker will find a way into the enterprise network, either through social engineering techniques or a zero-day exploit, for which there is no signature available for detection.
Therefore, the report said, the spotlight on cyber security today is clearly justified.