It’s no surprise that cybersecurity is an increasingly important part of the overall business—not just the IT department—and that companies are investing more to protect their data. But there seems to be a fundamental disconnect between the cybersecurity that companies have, what they need, and what could happen. That’s not good, but it also spells opportunity for the technology channel.
According to CompTIA’s recent research report Cybersecurity for Digital Operations, 55% of executives said they are completely satisfied with their current cybersecurity. Ignore for a minute that, philosophically, one should probably never be completely satisfied with security because cyber threats are constantly evolving, adapting and finding new vectors to do damage. More importantly, only 35% of IT staff—theoretically those that best understand the security risks faced every day—said they are completely satisfied. Far less than the executives that lead them.
Does that mean executives are too overconfident and could possibly become lax in their vigilance? Possibly, says Marc Haskelson, CEO of Compliancy Group and co-chair of CompTIA’s Business Applications Advisory Council.
“Customers must be able to adapt their cybersecurity policies to apply to an array of threats. Cybersecurity is an ongoing issue that should be monitored closely,” Haskelson said. “To be secure, it is important that organizations have a system in place to assess how their current cybersecurity practices measure up to new threats and are able to make changes quickly to keep up with new trends.”
Marrying Cyber with IT, Business for Real Success
The study notes the tension that exists in many organizations today—between tight security measures and end-user convenience, and between robust cybersecurity and innovation. How companies handle cybersecurity and tech adoption is also cause for concern. According to the CompTIA research, 44% of organizations say cybersecurity is a standalone discussion across the organization and not discussed with either business units or IT staff.
“The concept of security teams is still a very new idea for most companies. That continues to be the case in 2019,” according to the study.
And that’s a problem. Cybersecurity isn’t part of business and it’s not part of IT, but all three functions need to work together to ensure compliance, value and effectiveness.
“There should be an open dialogue on cybersecurity between all departments within an organization,” Haskelson said. “It is essential to ensure that all members are on the same page when it comes to cybersecurity best practices. When there is a disconnect between departments, things fall through the cracks and security measures are not implemented properly.”
Security Needs to Be a Priority
To ensure a strong cyber identity, there are a number of hurdles that need to be overcome within an organization, including the prioritization of other technology, lack of budget, and the belief that current security efforts are “good enough.”
Just within the healthcare industry, most breaches occur because organizations believe they’re doing enough to protect themselves, said Haskelson.
“We have seen with many new customers that they have weak cybersecurity tools in place. There is a widespread misconception that just because an organization is small, they will not be a victim of a breach,” Haskelson said. “This misbelief is putting information at risk as small businesses are targeted more frequently than large corporations. This is because today’s hackers are more knowledgeable, they realize that small businesses are easier targets.”
Metrics, Training Are Big Channel Opportunities
Moving forward, solution providers need to clearly validate the important role cybersecurity plays in all aspects of business. The ability to demonstrate data-driven metrics in complex environments (especially where human foibles can be largely responsible for security failures) is paramount.
There may even be a correlation tied to the use of metrics and customer satisfaction. First, there’s been a sizeable increase in the use of security metrics. In 2019, 39% of organizations cited heavy use of metrics, compared to 21% in 2018. The number of companies not using security metrics fell to 5%, down from 13% a year ago, according to the study.
Metrics including successful compliance audits, percentage of employees taking security training and percentage of systems with formal risk assessments make up the top three metrics cited in the study.
There are plenty of tools and processes available to track the first and third metrics above, respectively. But don’t sleep on the importance of helping customers ensure their employees have completed security training and understand the proper behavior to minimize risk, said Compliancy Group’s Haskelson.
“Modern cybersecurity is more of a human issue than anything else. An organization can have the most sophisticated tech in place protecting their sensitive data but when employees are not properly trained, the tech is ineffective,” he said. “The majority of breaches that occur are due to human error, a lost or stolen device or an employee opening an email that they shouldn’t.”
Interested in learning more about security-related tools and resources? Join CompTIA’s IT Security Community and connect with peers to build on your cybersecurity strategy today.