I reached out to a number of my LinkedIn connections recently, specifically the IT decision makers in my network. I wanted to see if they’d share with us – off the record – what are some of the top IT security challenges that they’re confronting right now.
The results of this exercise proved compelling – and here I share the top 5 IT security challenges that these leaders are most concerned about today. Those contributing included senior figures from across the banking, legal, IT consultancy, charity and market research sectors. A big thank you to all those who took the time to get involved. The pressing question is – do their concerns mirror your own? Let’s find out.
1 Being Compromised By Internal Security Failures
A common theme, regardless of sector, was a concern around internal security liabilities. Users clicking on an unknown phishing attempt and the ensuing problems that could result from this; or accepting a rogue social media request with potentially damaging consequences. Not to mention opening the company gateway to unforeseen attacks via the use of unprotected personal devices. Unintentional harm done through the actions of employees was a recurring theme.
The good news is that most I spoke with are working towards educating their workforces on the perils of ignoring their corporate or personal cyber security responsibilities. The more security conscious companies are also looking to work more closely with the National Cyber Security Centre (NCSC) and other security bodies to engage users at a deeper level. Should you?
2 Guarding Against the Actions of Rogue States
Unsurprisingly, given the tensions we’ve seen in recent times, there’s heightened awareness and greater perceived risk from the interference of ‘state backed’ teams. Those who might choose to target businesses to undermine them and their parent country. This extends far beyond the spotlight that has recently been placed on Russia, to any player with reasons to want to harm a country and its key industries and infrastructure.
A shared concern is that this threat could escalate further as more knowledge is shared and ‘smaller’ political organisations (or terrorist groups) gain more knowledge. All of which is compounded by the increasingly complex technologies coming to market that are outstripping the ability to protect against these threats. What more could you be doing to mitigate against this threat?
3 Ensuring GDPR Compliance and Exploiting Resulting Opportunities
Understandably a hot topic of late has been the ‘GDPR’ mandate, which by and large seems to be stimulating a positive change in the IT security landscape. My contact in IT Sourcing & Consulting recently used this mandate to help bring credibility to a business case, to secure budget and board level support to drive through a security compliance initiative. This resulted in the business winning new clients and retaining existing customers.
Ensuring GDPR obligations are understood throughout the business is a common concern. As is seeing that the processes and IT security are in place to guarantee compliance. Overall, though, senior leaders seem to be at least as concerned with exploiting the opportunities that GDPR presents as they are with ensuring their own company is compliant.
One legal contact cited that law practices by default have constant challenges around IT security. The answer for this particular firm was to hire external experts to perform some due diligence, thereby becoming GDPR experts themselves and opening up the opportunity to offer this knowledge to clients as a new service.
A hosting provider who I spoke with has built a successful business model for clients whose data has been breached. His company are called in to create a secure environment for them to move to. He also receives countless requests from business people (HR and non IT individuals) who have been given the GDPR compliance “hat” but who are unsure how to proceed. To that end he has created a new revenue stream: Data Protection Officer–as-a-service.
All of which begs the dual questions of i) what gaps are there in your own GDPR implementation? and ii) what opportunities exist in your market to turn GDPR into a new revenue stream?
4 Justifying the ROI of Spend on IT Security
A less common concern – but a really acute issue for those confronting it – is the issue of IT leaders finding it difficult to convince the leadership team of the return on investment from addressing security matters. One of my contacts openly stated that their leadership team encourages looking at ways “around it” – weighing up the possibility of a fine if there’s a security breach and how palatable that fine is, instead of looking at the overall impact this would have on their business, their customer base and their brand.
A cautionary tale if this is an approach your own leadership team are adopting. One contact of mine, from a well-known charity, suffered a large data breach a couple of years back which prompted early GDPR adherence. This was forced upon them by the ICO in exchange for escaping a large fine. The ICO still make regular visits to ensure best practice continues to be adhered to, unfortunately it took the security breach to bring about that change. What’s more, the breach came at considerable cost. It resulted in the unveiling of a significant anonymous donor, who unfortunately chose to take their large charitable donations elsewhere following this incident.
A key lesson here is the importance of educating your leadership team on the potential costs of IT security shortcomings – and presenting things in a way that the explicit costs of inaction can be clearly understood. If you need help with this in your organization, do feel free to get in touch.
5 Protecting Legacy Environments
Of all the people I spoke with, only one out of the twenty felt a high degree of comfort with their current security set-up. That particular contact works at a challenger bank – born in the cloud and therefore without a legacy environment to protect. They chose one of the 3 main cloud platforms and are confident the provider’s security processes, tools and best practice will keep them safe. Their environment sits under a managed security service provider (MSSP) but they remain very proactive, conducting regular penetration tests together with security support & banking peer groups to ensure continued best practice is being followed.
For everyone else, it’s the legacy nature of their infrastructure that causes a concern. People are looking to accelerate moves to the cloud and bring in external IT security partners in an effort to plug the gap. How about you, what are you doing to address issues arising from your legacy IT systems? If learning about using a managed security service provider (MSSP) would be helpful, you’re welcome to join our specialist webinar on this topic.
Although just a small sample of the information very kindly provided to me by people in my network, it’s reassuring to know security plans are being put in place driven either through GPDR, or heightened awareness. Companies are moving firmly away from a protect to a detect model, and a tick in the box exercise is no longer good enough. Continual surveillance and regular proactive detection seems to be IT leaders’ preferred route, whilst simultaneously educating and raising awareness within their workforce.
I saw a statistic that the global shortfall in certified cyber security experts is expected to increase 20% to 1.8m by 2022. So that will undoubtedly mean that a move towards a managed security partnership is likely to be the best route forward for many. Do feel free to get in touch if you’d like to discuss further.