Given the damage that can befall an organization from both a financial and reputational perspective following a data breach, it should come as little surprise that security is now the chief concern among IT decision makers in organizations when it comes to allocating their budget. According to the results of a recent survey sponsored by IT services provider Datalink and conducted by IDG Research Services, 70 percent of companies now rank data security as their top priority when it comes to investing their IT dollars.
In addition, the survey, which polled more than 100 IT executives and senior level managers from large U.S.-based organizations, also found that 75 percent of companies consider IT security more important today than just two years ago. Nearly three-quarters of respondents said they have security projects in the works while just over 20 percent indicated that such projects were in the build or planning stage of development.
Jason Rader, Datalink’s chief security strategist, thinks the increased concern from companies related to IT security has to do with the high-profile breaches that have occurred in recent years and the resulting fallout for some of the biggest names in retail, healthcare and entertainment. In fact, a heightened risk of security breaches was cited by 65 percent of survey respondents as being the most important factor impacting their IT investment decision, followed by stricter compliance/regulatory mandates which were cited by 43 percent of respondents.
“That’s what scares probably your average CISO and certainly the boards of organizations that feel like they’ve done their due diligence and yet there are still folks who they respect who are ending up on the front page,” said Rader.
Although the threats posed by cyber intrusions are certainly not a new phenomenon to corporate America, Rader said the likely reason that more organizations consider IT security a bigger critical threat today than they did just two years ago is that many of them probably felt they had cybersecurity under control.
“From two years ago to today, the threat has continued to be a problem and the people who thought they had it sorted out are finding out that they didn’t,” said Rader. “We’re also moving from that perimeter-based approach to security… we’re well-ingrained in trying to move away from just putting all of our protection on the perimeter and we’re actually doing detection, as well as response more than we classically would have thought about it and that requires kind of a rework of the way the entire ecosystem within the organization works. We’ve pretty much figured out there’s no way you’re going to stop every infiltration from getting into your network. What you’re going to have to do is make sure you can detect and mitigate that risk after you’ve detected in a far more efficient manner.”
Rader believes the IT industry is currently in the midst of a transformation when comes to security. “You can’t really approach security like you approach IT projects, for example, because security is one of these things that’s not a project. I’ve gone into organizations where they were like, ‘Oh, security, we did that last year’ and certainly that was a long while ago but it’s not a situation where we can buy all of the gear we need to support security this year and that will be the last of that capital expenditure,” he said.
However, much like their counterparts in physical security, Rader said that IT security professionals have to “get out of the darkroom and into the boardroom” meaning they have to learn to speak the language of the businesses they are involved with rather than just throw statistics at their executive leadership team to prove how well they’re performing their job.
“There are a lot of operational metrics security practitioners use in the physical security and technical security realms that are completely meaningless to the business. Nobody cares how many viruses were eradicated with virus scans, nobody cares how many spam emails you quarantined, etc,” said Rader. “What they want to know is how is security promoting the business, how is it helping us mitigate risk and unfortunately, there aren’t a lot of brilliant metrics that are meaningful across every organization.”
While technology solutions are still obviously an important part of an organization’s cybersecurity risk mitigation strategy, Rader said many companies have started to realize that educating and training their employees about the dangers that can lurk online and in their inbox, as well as putting good policies and procedures in place is as important, if not more so, than deploying technology.
“You could put the latest and greatest, the best stuff in the world from a technology perspective in place and then somebody who clicks a link, on purpose, and says ‘yes’ to whatever certificate errors pop up are still allowing people to get inside the castle walls and then, at that point, it’s a detection problem which your company may or not be capable of detecting,” said Rader.
