IT Leadership: IT security – oxygen or onion?
By: Mark Walker, associate vice president of Sub-Saharan Africa at International Data Corporation (IDC)
Search for security on Google. The engine will autofill with – security is like oxygen and security is like an onion. Both are true. Security is the oxygen that keeps the business alive. Without it there is the risk of breach, reputational loss, and failure. It is also, like the onion, multi-layered and complex enough to make even the sturdiest of Chief Information Security Officer’s (CISO) cry. Today, security isn’t at the beginning of the end as solutions relentlessly refine their capabilities and reach. It is at the end of the beginning. Technology is relentlessly evolving through digital transformation, the third platform, and the Fourth Industrial Revolution. Never before have industry and business been more reliant on technology. It has also never been more important to put security on the ground floor instead of loosely bolted on top.
Most South African companies are serious about digital transformation and yet only 9% of South African CIOs believe that cybersecurity and privacy technology are vitally important to a digital transformation strategy. This is a concern. Security should be the bedrock for digital transformation – if systems are taught the wrong things at the start, the issues scale rapidly. This is particularly true within the scope of the Internet of Things where machine learning, artificial intelligence (AI) and the algorithms that power them must start out with security at their core. A misstep at the start could create a potentially critical security weakness further down the line.
Security is under inordinate pressure to perform and protect while always remaining behind innovation and the demand for agility. IT decision makers must balance the need to drive innovation, monetise data, manage user expectations and enhance agility while simultaneously ensuring that governance, risk, and compliance (GRC) mandates are met. IDC’s research has found that 37% of CISOs are battling with this balancing act. They must align the business’ need for growth alongside both security and regulatory demands – they’re all looking for the digital cure to the GRC and security migraine.
There has been a collateral rise in spending on security and data management, particularly as the ramifications of POPIA and GDPR become more apparent. However, it is highly likely that real compliance across all fronts will only occur when a globally impactful incident kicks everyone into gear. The problem is that security is a complex web of intricate solutions on its own and this is made even more complicated by the influx of local and global security standards and guidelines. NESA, NIST, ISO 27001/18/31/35, ISO 22301/NCEMA 7000, CSA-STAR, PCIODSS, HIPPA, GDRP, Basel III, MiFiD, DESC, ADSEC, CITC – these are just some of the codes that rest on security’s plate.
And whoever oversees IT security is liable if none of the right steps are taken or if security is breached.
There is an urgent need to minimise and mitigate risk, to address these challenges and to overcome some of the hurdles that are facing both organisations and security teams. IDC found that 51% of organisations are finding it difficult to locate skilled IT security personnel, 49% lack enough IT budget, and 36% feel that employee adherence to policies is a threat. These challenges are further compounded by limited access to up to date threats (40%), lack of mature security policies (31%) and limited compliance with regulations (24%).
Security can no longer be built in a vacuum. The organisation must partner with vendors to craft solutions that map back to specific challenges that pertain to industry, sector and internal structure. The days of plugging in some security and handing over a phone number to call when it all goes wrong have passed. Internally, there needs to be a clear line of sight as to who leads digital transformation. The power has gradually left the IT department and headed into a line of business. Employees use credit cards to spin up servers and run workloads that IT hasn’t heard of, and often never will until there’s a breach. The technology hand is losing sight of what the business hand is doing with technology and this presents significant risk unless a clear line of sight is established at the outset.
IDC surveyed organizations to establish exactly who should lead digital transformation. The results found that 75% believed it should be a joint activity between the line of business and IT, but 16% believe it should be led by the business and 8% that IT should lead the way. The right approach is the one where both IT and the business work together, collaborating on projects and digital initiatives from the outset. Early on is essential to security success.
Fortunately, line of business has started to rethink its views on security. In an IDC survey from five years ago, only 2% believed that it was a priority. Today the number has risen to 33%. Breaches like those at Ster-Kinekor and Liberty are waking up the industry, especially as they realise that jail and corporate collapse sit on the lack of compliance horizon. Now is the time for the organization to ensure it is covered and to be able to say with confidence that the steps have been taken towards a truly vivacious security posture. The alternative is unthinkable.
Are you an IT industry leader and want your work/article to be featured on our website under our IT Leadership section? Drop us an email on email@example.com.