In yesterday’s blog, I had mentioned to a certain degree, the fact that prior to COVID19, many businesses across Corporate America were deploying too many security tools and technologies, in an effort to shore up their respective lines of defenses.
In other words, the mentality was the more that was thrown out, the better off the business was in terms of mitigating future Cyber related threats. But after this pandemic has started, many CIOs and CISOs are now reevaluating this kind of approach, just simply from the standpoint that they just do not have the cash now to invest in newer stuff.
Let us face it, when economic times and conditions get tough, the IT and the Cyber budgets are typically the first to get axed. But as much as I have made this claim, I have never really had the numbers to back up my hypothesis.
Well in today’s blog, I do now have some numbers that I can further substantiate my hypotheses with. All of this has come out in a recent market research report that was conducted by both KPMG and Oracle.
Their study is entitled the “Oracle And KPMG Cloud Threat Report 2020”, and it can be downloaded at this link:
Their report is divided into 4 major sections, which are as follows:
*The fears that keep the CIO/CISO up at night;
*The nightmare that too many security devices are having;
*Issues with Cloud based platforms;
*The shift to more “intelligent” based IT and Network Infrastructures.
So, let us now go ahead and get looking at some of their major findings:
*The fears that keep the CIO/CISO up at night:
Yes, we keep hearing in the Cyber news headlines what the CIO/CISO is most afraid of, and well, here is a sampling of that:
*A big chunk of the respondents are much more worried about keeping their company’s financials and IP assets more secure than they are about protecting their own personal belongings;
*80% of them have grave concerns in working with a Cloud provider (they are afraid that they may become the competition);
*92% of the CIOs and CISOs are simply too afraid to move their On Prem infrastructure to a Cloud based one;
*80% of them are most worried about data breaches, especially when it comes to protecting the PII records of their customers, driven primarily by the fears of the GDPR and CCPA.
*The nightmare that too many security devices are having:
Ok, these numbers are going to completely blow you away as they did me:
*78% of those CIOs and CISOs polled state they use a whopping 50+ different security technologies in their respective companies (this even means from different vendors, so just imagine what it is like to deal with over 50+ security vendors???);
*59% of those that responded claimed that the privileged access accounts that they have established for certain employees (like network admins, system admins, project managers, software development team leads, etc.) have been compromised in recent Phishing based attacks;
*There was also a plentiful amount of misconfiguration issues as well, driven primarily that these organizations simply have too many tools and technologies at their disposal. For example:
*37% claimed that there were over privileged access accounts that were assigned;
*35% said that there were gaping security holes in the source code that was used to create their Web apps;
*33% of the respondents did not even make use of Two Factor Authentication (aka 2FA). They only used one authentication mechanism: The notorious password.
*Issues with Cloud based platforms:
The Cloud platforms (most notably those of the AWS and Azure) have been proclaimed to be the next best alternative to having an On Prem infrastructure (this is a point that I even fully support). But given the COVID19 pandemic, these resources are also being stretched to their limits to some degree or another. The main catalyst for this has been the mass exodus to WFH. Here is what the report found:
*90% of the respondents are currently using some sort of either a Software as a Service (SaaS) or an Infrastructure as a Service (Iaas) platform;
*Only 8% of the CIOs and CISOs fully understand the ramifications and potential benefits of having a Cloud based platform;
*70% of them feel it takes too many tools to use a Cloud based platform (which I find completely ironic);
*Much to my surprise, over 75% of the CIOs and CISOs have experienced a data breach with a Cloud service that they are using at the present time.
The shift to more “intelligent” based IT and Network Infrastructures:
In this particular category, it seems like that there is an upcoming trend, or need to hire CIOs and CISOs that not only has the technical background to understand the Cyber threat landscape, but has an equal amount of effective communications skills as well. For example:
*A mind numbing 69% of the CIOs and CISOs claim that they take a reactive approach for their company’s security posture (meaning they will only act if after they have been hit);
*53% of organizations polled now plan to hire what is known as the “Business Information Security Officer” ( aka “BISO”) in order to augment the current skillset of their CIO and/or CISO;
*An overwhelming 88% of the companies plan to use some sort of Artificial Intelligence (AI) package to fortify the current Cloud based platform that they are using.
My Thoughts On This
Yes, these are a lot of key numbers to digest and think further about, but here is my take on them. First, it comes of no surprise that the CIO and/or CISO is constantly up at night worrying about security issues. The bottom line is that their job is on the line, and in the views of many, the buck stops with them. But in this regard, I take a much more holistic view.
For example, I think the buck really stops with the Board of Directors with each company in Corporate America. After all, the C-Suite has to ultimately report to them, and they are the ones that give the final approval for budgets, especially when it comes to Cyber related spending. You just cannot pin the blame on one person.
For example, if a business is hit, it could have been caused by an honest mistake made by an employee. Nobody is perfect. Now in this case, who are you going to blame? The employee and or the CIO/CISO?
In a business environment, everybody has an equal amount of responsibility and stake for the Cyber well being of their business. There needs to be a fundamental shift towards this way of thinking. If Corporate America can adopt this kind of thinking, then a much more proactive mindset will transpire amongst the CIOs and CISOs.
Second, it is good to see that many of these businesses are finally owning up to the fact that they have a huge responsibility in protecting the PII records of their customer base. In a way, its like a medical relationship we have with our doctors.
We trust our lives to them, and in a remarkably similar way, we also trust our financial information will be safe with the businesses that store them for future E-Commerce related transactions. Perhaps in this regard, GDPR and the CCPA may finally be paying off.
Third, as much as I have written about it, I am shocked that some 37% of those organizations polled still use over 100+ security technologies and tools each from different vendors? I simply cannot fathom that. I have a hard time every now then just keeping up with what I have, and I am an SMB owner.
Maybe there is, for the lack of a better terminology, a silver lining behind the COVID19: Less cash means less $$$ to spend on simply procuring more tools, thus literally forcing the CIO and/or CISO to drastically rethink their respective budgets.
Fourth, as mentioned, I will always advocate the usage of either the AWS or Azure as a way to get away from an On Prem infrastructure. I have accounts to both of these platforms, and even though I have just started to play around with them, I am totally blown away with what they have to offer to a business. In all seriousness, a CIO/CISO can literally move everything IT asset that they have into the Cloud.
But it is important to keep in mind that this does not all happen at once, it requires a lot of careful planning and figuring out the resources that you will need. Then, you need to have a rock solid plan as to how you will move all of this in a seamless fashion, and test your new environment before you make it available to all of your employees in a production mode.
In this regard, it is always best to make use of a Cloud Services Provider (aka CSP) to help you out with this entire process. They have all of the requisite experience and skills needed to handle this kind of project. In the end, the Cloud will offer you great benefits such as fixed and affordable pricing, scalability, backups, security, etc.
But there is also one critical aspect to keep in mind: Although the AWS or Azure will provide you with all of the tools to secure your so called shared environment, the ultimate responsibility of security falls on you, not on them.
Fifth, the days of hiring a full time, and salaried CIO and CISO are now waning, and will come to an end. The huge trend now is to hire what is known as a “vCISO”. This is where you actually hire a highly seasoned CIO and/or CISO that has been in the trenches for a long period of time, on a fixed term, contract basis.
The benefits to this are obvious: These are fixed price engagements, and since you are outsourcing this role, there is no need to pay for perks and benefits.
But best of all, these types of people will give you an hones and candid approach as to what you need to do your business, without being influenced by internal corporate politics or drama. They steer away from that. Also, your newly hired vCJSO will probably even have a greater network contacts that you can also hire as well on a contract basis to further augment your IT Security team.
Finally, I have only heard a couple of times the role of “BISO” being bandied about. It will be quite interesting to see how this role further develops the COVID 19 security issues will be lingering around with us for quite a long time to come yet.