Year after year, major surveys highlight low levels of cyber security maturity across large firms, and increasingly an even more worrying situation amongst smaller firms. The 2016 RSA Cyber Poverty index is a good example of that trend. It truly paints a grim picture, but simply confirms findings that seem consistent across all large surveys – even if methodologies do vary.
Most of those surveys have another point in common: They are – in some form or another – organised or sponsored by heavyweights of the cyber security industry or large consultancy firms, who ultimately can be suspected of having an interest in accentuating negative traits in order to maximise their own sales.
But even if the results of those surveys have to be taken with great care for that reason, they do match an enormous amount of anecdotal evidence we come across in the field every day: Too many large firms – leaders in their field – are still struggling with fundamental basic principles of cyber security hygiene that have been regarded as good practice for 10 to 15 years, and for which technical solutions and organisational processes have been in existence for as long:
- Monitoring of basic network security events
- Timely deployment of security patches on servers and desktops
- Timely removal of user accounts
- Periodic revalidation of access levels with business units
It cannot be suggested that solving those problems is easy in large firms, and to a large extent the disappearance of the traditional business perimeter of the enterprise and the digital transformation of supply and value chains have made things even more complex.
But those good practices have been relentlessly pushed forward by auditors and regulators, as well as infosec professionals, for the best part of the last 10 to 15 years. Very large amounts of money have been spent with tech vendors on alleged solutions in those areas, so undoubtedly it is concerning that so little progress seems to have been made by so many firms in those domains over such a long period of time.
The most common root cause is a constant short-termist approach by senior management, focused solely on alleged “quick wins” or illusory technical solutions to audit or compliance problems, at the expense of the more complex process and governance transformation issues that would have driven real change but would have required a longer term vision and approach.
The technology industry has done little to break those dynamics: In fact, it has been happily riding that wave for a long time, and the trend shows no signs of abating. It also has a long standing tradition of re-inventing itself, and the cybersecurity sector is no exception. Most security vendors are now embracing emerging technologies such as Artificial Intelligence or Machine Learning, as well as more established platforms such as Big Data, and present as “innovative” Cloud-Based delivery models that in fact have been in existence – for some of them – for over 10 years.
They paint to their clients a situation where threats morph constantly, and therefore new tools are constantly required; and it may well be the case to some extent in some industries. But the harsh reality is that many of their clients don’t have the basic processes in place that would enable them to take full advantage of such products, and at best they simply continue to buy those to put ticks in audit or compliance boxes, when it is not merely as a pet project for the CISO.
Many board members have woken up over the past few years to a situation they don’t understand, being told all of a sudden that data breaches are simply a matter of time, often by the same people who have been telling them for years that everything was under control.
They need to realise that this is not just an external situation created by the acceleration of threats or some adverse economic or geopolitical outlook. Quite often, it is also the symptom of a serious internal problem rooted in decades of short-termism, adverse prioritisation of security matters and a complacent “tick-in-the-box” culture around audit and compliance.
We are coming to a point in many large firms where true “innovation” in the cyber security space does not consist in deploying the latest tools, but in going back to the governance drawing board, to look at long-term actions and remove the roadblocks that have prevented progress in the past, redesigning fundamental security processes across IT, the business and other support functions (such as HR etc…) in order to rebuild proper and functional operating models conceived to protect the organisation once and for all.
This article was first published on the Corix Partners blog on 8 December 2016.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.