IT decision makers face major challenges between dynamic adversaries, significant legislative and regulatory requirements, business digital transformation needs, and a rapidly growing array of technology solutions.
Ideally, business requirements would be the primary motivator for an organization’s approach to cybersecurity strategy. But, according to a new research report from Optiv Security, nearly two in three UK-based IT and security decision-makers say their security program is continually responsive due to constantly changing laws, threats and threats. and other external factors.
The changing technological landscape has a great influence on cybersecurity strategy. The proliferation of mobile applications has a major or significant impact on 79% of organizations, even more than the need to understand the gaps in their current security programs. Cloud-based technologies follow closely behind, with 77% citing cloud migration as having a major or significant impact.
“Security teams that focus solely on the external threat are overwhelmed by the pace of business and digital change,” said Simon Church, chief executive and executive vice president of Optiv for Europe. “We are witnessing a significant shift towards a ‘business-first’ perspective among cyber leaders, which balances risk with the imperatives of modern business. However, many organizations are still married to the archaic outside-in-inside model, which relies on purchasing security technologies based on the latest trends and vulnerabilities in a way that solves problems and answers. This approach allows the landscape, rather than business objectives, to dictate security infrastructure and operations, and often ignores the other important elements of a successful security program: people and processes. “
Research also reveals that broader corporate buy-in is a challenge. Nearly three in five IT executives find it difficult to gain buy-in to their security programs, mainly due to a lack of understanding on the part of the board.
Almost a third see this lack of understanding as the biggest obstacle to implementing their preferred strategy, and only 23% think the rest of the company understands their security strategy extremely well. In 56% of organizations, the IT department is developing a security program strategy, but requires board approval to get started. And, in almost a quarter of cases, the board dictates strategy to the organization.
“Many organizations struggle to successfully measure and report the return on investment of cybersecurity against the company’s business goals,” Church said. “In fact, according to our research, only a third of organizations report the success of their program to their business with either a live dashboard or regular reports showing key metrics. By strengthening reporting, IT decision makers can better secure membership and demonstrate the value of their security strategies and solutions.
Research identifies that more than a quarter of those surveyed believe their security is working extremely well. But increasingly, businesses don’t just want efficiency. They want simplicity. When asked how much emphasis companies would place on different factors if they could rebuild their programs from scratch, respondents said they would put 32% of their focus on simplicity, an increase in 9% compared to the current state.
“The challenge is for the world to continue to change and evolve at an accelerated rate,” Church said. “Everyone is aware of the exponential growth and the impact on global economies and businesses due to globalization, internet and cloud business models, digital transformation, mobility – all industries. radically changing that are completely reinvented. The result of these transformations, and the existing security approach, is a cyber world that is excessively and unnecessarily complex and underperforming. Our research confirms that the industry needs a new perspective, a new approach, and a new delivery and consumption model for cybersecurity that translates into better outcomes. The industry needs an approach that puts business strategy and risk at the heart of cybersecurity decision making.