Organization are putting a lot of time, money and effort into combating cybersecurity threats. In TechTarget’s 2017 IT Priorities Survey, IT professionals said they spend 23 percent of their time on security-related activities. Only “general IT management” ranked higher, at 27 percent.
Gartner has predicted that organizations will spend $86.4 billion on cybersecurity this year, a 7 percent increase over 2016, and spending will reach $93 billion in 2018. IDC says that IT security spending will top $101 billion by 2020.
Given all this time, money and effort, you’d think that organizations would be getting a handle on security threats. However, very few days go by without a major cyberattack or data breach, reminding us that there’s still much work to be done.
A new Ponemon Institute survey of senior-level IT professionals suggests that a reactive approach to cybersecurity could be part of the problem. Sixty percent of survey respondents consider security to be a business priority in their organizations, yet only 51 percent say their organization has an IT security strategy.
A cybersecurity strategy that spans the entire organization is rare. Cybersecurity is a standalone function in 58 percent of organizations, but only 22 percent say it is integrated with other business teams. Three-fourths of respondents say this lack of integration creates turf wars and siloes that have either a significant influence (36 percent) or some influence (39 percent) on cybersecurity tactics and strategies.
Changes in cybersecurity programs are largely reactive, with material data breaches (45 percent) and cybersecurity exploits (43 percent) the top two events that get attention from senior executives. Only 43 percent say their cybersecurity strategy is reviewed, approved and supported by C-level executives outside IT. Communication with executive leadership is also crisis-driven. Almost two-thirds (65 percent) of respondents say they communicate directly with senior executives, but rarely is it a strategic discussion of all threats to the organization.
Developing and implementing the right cybersecurity strategy can be difficult, given the scope of threats and the near-infinite number of ways to address them. These principles provide an effective starting point:
- Make cybersecurity part of the organizational culture. Some of the biggest threats are human error and lax adherence to security policies. Any cybersecurity strategy should incorporate ongoing cybersecurity education that focuses on best practices and how to identify security threats.
- Identify your organization’s top cybersecurity risks and build your strategy around them. There are a number of frameworks that can help guide the development of a risk-management strategy, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The risk assessment should cover the entire organization and consider the potential value of data and IT assets to outsiders.
- Use industry-standard terms in security policies and communications. A consistent approach helps ensure that all stakeholders, including executive management, understand cybersecurity issues and risks.
- Ensure that cybersecurity basics are in place. Most cyberattacks exploit well-known vulnerabilities. Organizations can improve their security posture by ensuring that systems are patched, privileged user accounts are properly managed, and sensitive data is encrypted.
- Address the cybersecurity skills gap. IT leaders should look beyond traditional job descriptions when hiring security roles. Automation and strategic partnerships can also help offset the shortage of cybersecurity professionals.
Investments in security tools and personnel can only go so far in combatting cyber threats. Organizations need a comprehensive cybersecurity strategy that integrates with key business processes and aligns with corporate objectives.
By John Flores, Vice President of Marketing