The sheer number of cyberattacks resulting from an inability to manage risks — and the burgeoning talent shortage to deal with it — will force CIOs to rethink their defense strategy.
Today’s digital landscape is inconceivably broad and deep. It’s a convergent environment in which every desktop, laptop, smart phone and IoT device owned or used by organizations is simply another node in a global network. And it’s never been harder for organizations to situate themselves in the landscape of which they are a tiny part.
As organizations transition more of their operations to the digital universe, the infrastructure and services their IT departments don’t control directly in-house must be addressed through robust cyber-security measures. But those measures aren’t being implemented fast enough. Gartner predicts that by 2020, 60 percent of digital businesses will suffer a major service interruption because their IT security teams won’t know how to deal one or more of the sophisticated cyber-threats that come their way virtually every day.
A lot of people think that the biggest digital transformations are taking place in business, but that view is only partly correct. Criminals are also going digital in a major way – and making uncounted and uncountable millions of dollars doing it via hacking and other nefarious cyber-activities. And the cybercrime growth doesn’t seem to be slowing – if anything, it’s growing by the hour. The shady "darknet" is the place where the criminals hang out and transact their illegal business, both by themselves and on behalf of others who want for one reason or another to extort money from companies large and small. Making matters worse is the sad truth that, these days, you don’t need to be a skilled computer geek to wreak havoc. You just need to know where to go to access the people who are skilled and can do the dirty work for you, whether it’s through selling or deploying ransomware, DDoS attacks or identity theft. The services and products for online thievery have never been more accessible or caused more damage. And the trend will only be upwards.
Most companies, especially large ones, rely on a complex mishmash of IT infrastructure residing both in-house and in the cloud. Some systems have been serving them for years, while others are more recent acquisitions. They all have to talk to each other and be accessible to their users. Striking this balance is a tall order, as any IT department can attest. Techies are typically run off their feet putting out fires and trying to make sure malicious or inadvertent threats don’t spread and cripple the organization. On the staff side, keeping pace with alerts is exhausting, and many can get so overwhelmed by the unceasing flood of alerts that they become numb to them (a.k.a., “alert fatigue”). This poses huge risks and can result in longer response times or missed critical alerts. In fact, Cisco’s 2018 Annual Cybersecurity Report states that only 56% of alerts are being investigated, and 44% of them are not investigated at all. Of the ones that are, only 51% of legitimate alerts are being addressed and the threats fixed. Almost half (49%) of the threats out there remain undetected and pose a constant lurking danger to systems and companies. For IT, spotting and dealing with these alerts is a true challenge.
According to the Ponemon Institute’s 2018 Cost of a Data Breach study, organizations take a whopping 197 days, on average, to detect breaches. The ramifications can be brutal: while the average breach costs an organization $3.86 million, the price tag for a massive breach of 1 million records can rack up an average total cost of $40 million.
The Cisco report notes that more security professionals are reporting that breaches took a toll on more than half of their organization’s systems (32% compared to 15% the previous year). The most commonly affected business functions are finance, intellectual property, operations and brand reputation. Unsurprisingly, eight out of ten CISOs are concerned that many data breaches remain unaddressed.
When it comes to tackling cyber-security and technology risk in digital businesses, better leadership and governance may be a higher priority than more sophisticated technology and upgraded skills. The World Economic Forum’s Global Risks Report 2017 concludes that “a large-scale cyber-security breach has become one of the five most serious global risks today”. It’s gratifying to see that a potential global attack is on everyone’s radar, but experts know the bitter reality is that security is still taken too lightly.
Of approximately 1,200 C-suit executives polled, only 4% of respondents have significantly revised their organization's security strategy, even as they acknowledge that every day they are exposed to an ever-growing number of cyber-threats, according to EY’s Global Information Security Survey 2017-18. Only 17% of corporate boards have enough cyber-security expertise to effectively oversee cyber-risks. Again, this is no surprise; the study found that a mere 50% of those in charge of cyber-security regularly report to their Board. This too-frequent cold shoulder from the C-suite is putting a damper on cyber-security and shining a spotlight on the need for new attitudes and more meaningful IT involvement.
Pundits estimate that there will be 3.5 million unfilled cyber-jobs by 2021, and the cybercrime surge is expected to triple the number of vacancies over the next few years. Even companies with tons of cash will find it hard to find all the IT brains they need. The coming shortage of talent in the market requires a fresh approach to the problem.
And there’s no time to waste. In ever more complex IT environments with greater interconnectivity – and the need for millions of people to access them 24/7 – human error represents one of the biggest single points of security failure. Only a third (34%) of security professionals depend on machine learning, according to the Cisco report, so there is still a long way to go before we’re even close to taming the cyber-threat monster. The sheer number of cyber-attacks and the burgeoning talent shortage compels organizations to think up smarter ways of doing things as opposed to just more of the same. In many cases, that will mean turning to machine learning, data analytics and heavy automation – the heavy artillery that, as of today, provides the best defense against cybercriminals.