At the recent RSA Conference in San Francisco, attendees heard a lot of recognition that the cyber security landscape is in flux. A new generation of technologies that generate unprecedented amounts of data has changed the playing field, as has the rise of artificial intelligence. This has resulted not just in more things to secure and more insight to work with, it also has led to an adversary that's better equipped, more sophisticated and with more assets to access.
Security experts from every industry not only described how their own strategies are constantly evolving to keep up with all this change; they also repeatedly recommended making security a higher-level priority and to stop viewing it as something IT takes care of.
Here's hoping attendees got the message, because a recent report from IT services provider Cognizant indicates that most companies aren't walking the walk. More than anything, the report suggests that too many organizations are still viewing security through an antiquated lens.
"The discipline of security is still struggling to find its place in organizations, as evidenced by the continued debate of where the role of chief security officer (CSO) fits vis-a-vis the role of the CIO," wrote author Michael Cook, senior manager of Cognizant's Center for the Future of Work.
Is it any surprise, given this uncertainty, that the bad guys are licking their chops?
Consider some of the more disturbing findings from the report. For instance, 45 percent of respondents still see cyber security as an IT initiative and 58 percent acknowledged that their IT infrastructures and security strategies weren't even integrated. Perhaps even worse, only nine percent said their organizations have made cyber security a board-level priority.
The logical conclusion is that too many companies continue to see security as a threat specifically to their information technology systems and are proving slow to recognize that their businesses have become digital from end to end and that their security strategies need to reflect that.
"Security needs to move out of the back office and into the C-suite," wrote Cook. "Leadership needs to embrace cyber security as a board-level initiative and not just relegate it to IT."
One area that poses special challenges is cloud migration, which more than 70 percent of respondents consider a glaring cyber soft spot. Prioritizing security controls and resilient architectures to support cloud migration is considered a fundamental requirement and yet 68 percent of respondents admit they could be doing more about cloud security. And quite often, what they could be doing has nothing to do with technology and everything to do with training employees.
(Social media and careless or unaware employees were the next two most oft-cited soft spots, further emphasizing the need for security to be more than an IT initiative.)
Compounding the problem is the well-documented talent shortage security leaders are grappling with. Some 60 percent of respondents said they have inadequate resources to deal with the expected increase in volume and frequency of security incidents over the next year. AI will help to close the gap with automated technologies that can monitor and analyze security data, but it won't completely mitigate those issues, and the bad guys also will employ those same AI capabilities.
And it's that unavoidable reality—that adversaries will be attacking with the same technologies cyber security teams rely upon—that has helped to make security feel like what Cook referred to as an "endless war." With the technologies, data flows and threat vectors in a state of constant evolution, so to must security strategies be constantly evolving.
Along those lines, it's encouraging that one-third of respondents said they're now reviewing their security strategy monthly and that just over five percent are even doing so weekly. But more than 30 percent of respondents are holdouts who stubbornly continue to review their security strategies annually.
And there's no indication that things will slow down. A steady stream of emerging technologies such as blockchain, quantum computing, advanced analytics and new DevSecOps models will continue to shift the playing field, keeping bad guys trying new things and security teams constantly shifting what they're doing in an effort to stay one step ahead.
The report also highlights an approach Cognizant has developed to help keep security strategies current and forward-thinking. Dubbed "LEAP," this approach recommends that organizations future-proof their digital operations by leading, evolving, automating and preparing. The idea is to use those concepts to guide a security strategy that reflects the current and future threats to an organization.
The alternative, wrote Cook, will put an organization behind the proverbial eight ball.
"Companies face the genuine threat of irrelevance if they fail to embrace digital technologies, but it’s these very technologies that are opening the doors to would-be cyber criminals," wrote Cook. "Any company that hopes to do business in the digital economy must strengthen its cyber defenses to remain viable."