Results from two recent studies suggest that cybersecurity needs an overhaul at most companies with root causes of the problem including poor communication, a lack of employee awareness, slowed productivity and a lack of budget.
In its 2016 Cybersecurity Confidence Report, Barkly, an endpoint security company, surveyed 350 IT pros to determine the top security concerns for 2016 and gauge how confident IT leaders are when it comes to cybersecurity issues. The survey looked at IT leaders' biggest security concerns, levels of confidence around security, number of breaches in 2015, amount of time spent on security, biggest priorities in IT and the downsides to current security solutions -- and, for the most part, the results were grim.
Security is on the top IT leader's mind, especially as hacks become more frequent, sophisticated and malicious, but the report also uncovered some shocking truths about cybersecurity in the enterprise. The report showed major flaws in how businesses and IT leaders approach security, and it boils down to a lack of communication between the C-Suite and IT leaders, as well as a general frustration with how security slows down overall productivity in the company.
But just because security might bog down productivity, or IT leaders and executives suffer from a lack of communication, businesses need to remain vigilant regarding security. Jack Danahy, CTO and co-founder of Barkly, says efficiency should be redefined. "Good security does not bog down efficiency. Efficiency can't be measured by how fast a single user can accomplish a particular task; it must be directly linked to the performance of the organization as a whole."
Confidence in security is low
For IT pros did not express high levels of confidence when it comes to security. Fifty percent reported that they aren't confident in their current security products and initiatives, while one in five don't believe it's even possible to have effective endpoint security. The study shows that three out of four IT leaders say employees' understanding of cybersecurity is, at best, moderate -- which only further diminishes confidence in cybersecurity.
For employees, it's a matter of them not understand what's at stake if they ignore security protocol -- oftentimes they simply feel security measures hinder their productivity, which only motivates them to take shortcuts. Danahy likens enterprise security to a pilot getting a plane ready for take-off. After boarding, passengers have to sit and wait for the pilot to complete a checklist, and it might mean the plane gets off the ground a bit later than scheduled, but "no one thinks of this as bogging down the flying process. It is a thoughtful, proven technique to ensure a higher level of safety."
Most importantly, Danahy says that a lack of confidence from IT or employees aren't valid excuses for why businesses aren't living up to cybersecurity expectations. "Every business leader should know whether they are secure enough or not. They should ask themselves that question, and then force themselves to support the reasons for their response."
[ Related story: 5 tips for defending against advanced persistent threats ]
Difficulty proving security ROI
Another reason IT pros are abandoning effective security practices is that it's difficult to calculate the ROI of security. The study found that 54 percent of respondents have low confidence in their company's ability to demonstrate the ROI of security. For business leaders, the biggest motivation for implementing new process, procedures, or expanding budgets boils down to how much money they can make on the initiative.
But IT pros are finding it hard to concretely define the ROI around security, whether it's purchasing new software, hardware or implementing company-wide security measures. Still, 52 percent of IT executives say they "would still jump at the chance to purchase new, improved security software, and one in four say there is no limit to what they would pay for something more effective and reliable."
Another cybersecurity study from the ISACA/RSA found that, while 82 percent of board members are concerned about cybersecurity, the reality is that only one in seven CIOs report directly to the CEO and most are completely left off the board. And that's in an environment where 74 percent of security pros believe a cyberattack will occur in 2016, with 30 percent reporting daily phishing attempts, according to the study.
Businesses might need to move beyond an ROI-based attitude -- at least around cybersecurity -- says Eddie Schwartz, ISACA board member, chair of ISACA's Cybersecurity Task Force and president and COO of WhiteOps. "It's ridiculous to talk about ROI or the lack of ROI relative to cybersecurity at this point. It's clear from all of the breaches over the last several years that cybersecurity should be a key investment area for CIOs. If CIOs can't explain the value of security investments as easily as they explain the value of other features of their IT investment programs, they should not be CIOs."
[ Related story: 5 signs you've been hit with an advanced persistent threat ]
Are IT pros are giving up?
The survey asked how many breaches respondents experienced in the last year, and one third of respondents said they weren't sure. But for those who were aware, companies with less than 1,000 employees averaged two breaches, while companies with over 10,000 employees reported an average of 2.7 breaches for the year. The study from ISACA/RSA found similar stats for 2015, with 24 percent stating they "didn't know" if user credentials were hacked or stolen or if hackers exploited their organization. Twenty-three percent couldn't say if they had experienced an "advanced persistent threat attack," while 20 percent didn't know if corporate assets were "hijacked for botnet use."
When asked in the Barkly study what the biggest issues around implementing effective security procedures are, 41 percent said they slow down the system, 33 percent said they're too expensive, 36 percent cited too many updates and 20 percent said that security "requires too much headcount to manage." IT leaders are being forced to choose between strong security and productivity, and most companies are sticking to the latter, according to the data from Barkly. Ultimately, these solutions aren't stopping breaches, as the study points out, and the effects are simply slowing down day-to-day business.
But if security pros are worried now, it's only going to get worse as technology changes faster and becomes more advanced. And as the skills gap grows wider -- with too many security jobs and not enough qualified candidates to fill them -- the problem will only increase. The ISACA/RSA study also found that two emerging industry trends -- artificial intelligence and the Internet of Things -- are causing growing concern for security pros. The study found that 42 percent believed AI would increase risk in the short term, while 62 percent agreed that it will certainly cause problems in the long term. More than half of the respondents also cited the IoT as a potential platform for more expansive and intelligent hacks.
Ultimately, the results from both show businesses need to reconsider their cybersecurity measures. "IT leaders should see security as an intrinsic and critical part of their overall program. By doing so, they would be demonstrating leadership across their own organization and for their customers that they care about protecting information," Schwartz says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.