CompTIA has published cybersecurity research every year since I joined the team in 2011. It’s a topic we have consistently explored, thanks to the high level of interest and struggles companies have in building an optimal security posture. In previous years, we have focused on specific aspects of cybersecurity, such as the variety of skills that are needed or how businesses are forming cybersecurity teams. This year, we tied these threads together to take a comprehensive look at the approach companies are taking to cybersecurity as they go through digital transformation.
Cybersecurity shifted dramatically in the early days of cloud adoption. Where the primary focus used to be on building a secure perimeter, there is now a multi-pronged approach to accommodate data hosted on external systems. Companies now build cybersecurity plans that include technology investments, policy creation and user education. At the same time, they have been dealing with a new tension that has also existed since the introduction of cloud-first IT—the constant balancing act between technology innovation and cybersecurity.
One of the more interesting data points in CompTIA’s new report is the way that different parts of the organization view this balancing act. By understanding the dynamics involved, security practitioners can help companies build a robust security posture while still aggressively pursuing new technology. Here are four key takeaways executives, business staff and security providers need to understand about the innovation vs. security tug of war.
Recognize the tradeoffs involved
When asked which way their company leans between technology innovation and cybersecurity, respondents seemed a little confused. 35% said they prioritize innovation over security, 40% said they prioritize security over innovation, and 45% said they try to strike a balance between the two. This leads to 120%, which we in the research business call bananas. It’s not as bad as it seems, though. The survey was designed to figure out if people really understood that these goals are mutually exclusive. Breaking down the responses by job function, IT pros were much more likely to have this understanding, with executives and business staff more likely to want both things at the same time.
Provide guidance on the cost of digital transformation
The confusion that exists on this topic means there is still a disconnect around building enterprise systems. The ease of use around consumer technology and cloud systems has driven a wave of technical confidence among non-technical staff, but this confidence doesn’t necessarily translate to broad understanding. Enterprise systems are incredibly complex, and CompTIA research has shown that business staff still look to IT to handle integration and cybersecurity. Without coming across as a wet blanket, security providers need to take the lead on helping their clients understand the necessary security investments for any new technology initiatives.
Educate on security issues and business goals
As much as security providers need to educate around security issues, they also need their own education around corporate goals. When business leaders say they want digital transformation, they want the new technology to happen on a timeframe that helps them stay competitive, and that is usually the top priority. When presented with direct statements about innovation and cybersecurity, respondents indicated a willingness to strike a balance. But in a different part of the survey, the leading hurdle for cybersecurity initiatives is a prioritization of other technology. In discussions with clients, security providers should advocate for proper security measures, and they should also evolve their own practices to respond to the needs of the business.
Cybersecurity should be a dedicated function
Given the strong desire for innovation, the complex nature of cybersecurity, and the shifting viewpoint of the IT function, it’s increasingly difficult to treat cybersecurity as one of many IT components. There will always be a connection to IT, but CompTIA’s report shows that cybersecurity is a critical business operation, like accounting or legal. Cybersecurity should model these areas, forming a dedicated team from a mix of internal and external resources. With this level of focus, it will be easier to set the risk tolerance of the organization and maintain sustainable practices even in the face of emerging technology adoption.
No one has been ignoring cybersecurity, but there are still hurdles in the way of building a modern approach for the digital area. Managed security service providers and security professionals need to help companies view security as the way to mitigate the risks around emerging tech initiatives. For more on how this is being done, download the full research report.
Seth Robinson is CompTIA's senior director of technology analysis. He's been conducting cybersecurity research since 2011.