Security teams must stay vigilant when it comes to keeping the organization safe.
Gartner provides eight ways your organization can get stuck when it comes to cybersecurity, leaving you vulnerable.
Cultural and systemic issues can leave your organization vulnerable. Many business leaders still believe that cybersecurity is a problem that can be solved if they invest enough money and hire the right people with the right technical knowledge who will keep them from going unnoticed. .
In fact, cultural and system issues often occur between IT executives and non-IT people, rather than technical capacity or funding, leaving organizations vulnerable to attacks. network security.
“These issues provide an opportunity for CIOs and CISOs to rethink how they engage non-IT senior executives to prioritize,” said Paul Proctor, Distinguished VP Analyst at Gartner. security”.
You can reduce your risk of cyberattacks by addressing these top causes of failure in your organization.
1. Invisible systemic risk
Businesses make decisions on a daily basis that have a negative impact on their security readiness: for example, refusing to close servers for appropriate patching or choosing to continue working on legacy hardware and software to budget savings. These unreported decisions lead to a false sense of security and increase the likelihood and severity of incidents.
Work: Identify, report, and discuss systemic risks as part of normal security administration.
2. Cultural disconnect
Non-IT executives still see security as something “just there,” like air or water. This means it should not be considered part of business decisions. For example, a business leader requesting a new application is unlikely to include “security readiness” as a requirement.
Work: Put cybersecurity into business context so executives can see the impact of their decisions.
3. Throw money at the problem
You can’t buy your way – no matter what you spend, you won’t be perfectly protected against cyberattacks. By trying to stop any risky activities, you may end up damaging your organization’s ability to function.
Work: Avoid over-investing in securities that increase operating costs but compromise the organization’s ability to achieve business results.
4. Security as a “guardian”
If security officers are seen as (and act as) the guardians of the organization, that creates a ‘no’ culture. For example, they may block the release of a critical application due to security concerns without considering the business outcomes the application supports.
Work: Positioning security is a function of balancing the needs of protection with the needs of business operations.
5. Accountability is broken
Accountability means that the decision to accept the risk is defensible to key stakeholders. If accountability means someone gets fired if something goes wrong, nobody gets involved.
Work: Reward decision makers that best balance the need to protect with the need to run the business.
6. Poorly formed risk appetite statements
Organizations that make generic high-level statements about their risk appetite do not support good decision making. Avoid promising to only engage in low-risk activities, as this can create invisible systemic risk.
Work: Create a mechanism that allows risk taking within defined parameters.
7. Unrealistic Social Expectations
When a controversial security incident occurs, society just wants to roll. While this is unfair, it is the result of decades of treating security as a black box. No one understood how it really worked and as a result, when something went wrong, it was assumed that someone had made a mistake.
However, society will not change until organizations and IT departments start treating and talking about security differently.
Work: Speak up about balancing the need to protect with the need to run the business rather than as a scapegoat.
8. Lack of transparency
Some boards and senior executives simply don’t want to hear or admit that security isn’t perfect. The board presentations were filled with good news about the advancements that have been made in the field of security, with little or no discussion of gaps and opportunities for improvement. We know of one company that even decided to transfer confidentiality to an attorney to facilitate discussions.
Work: To address the challenges, IT and non-IT executives must be willing to understand and talk about the realities and limitations of how security works.
Learn more about cybersecurity and other top IT topics at Gartner IT Symposium / Xpo™ 2022, November 7-10, in Barcelona, Spain.
Related:
Gartner Top Strategic Technology Trends for 2022 – Gartner expects these 12 technology trends to serve as drivers of innovation and digital business over the next 3-5 years. Here’s your quick guide to what technologies are and why they’re valuable.
Promoting diversity in technology and encouraging the next generation of cybersecurity professionals – Ahead of the Women in IT Summit UK, Jessica Figueras, Vice President of the UK Cybersecurity Council UK, spoke with the Information Age about promoting diversity in technology and encouraging cyber the professionals of the future.
