A recent Widmeyer study confirmed what many of us have long suspected — the good guys’ grasp of technology is lagging behind the bad guys’. Widmeyer surveyed more than 750 IT specialists from Asia, Europe and North America and found that only about half of them have the capabilities to detect major data breaches within the first hour.
And the half that can? Only about a third of this cohort was confident they had the means to contain the breach even if they did manage to detect it.
What Does This Mean for the Business World?
To put it mildly, it means we have a lot of work to do. This and many other studies like it have placed the phrase “security maturity” in our vocabulary, which is a useful way to look at it. For the business world, the advantages of modern connected technologies are too significant to pass up — whether it’s better data and logistics throughout a series of business locations or financial records and digital assets stored in the cloud.
Unfortunately, it looks as though “security maturity” is severely lagging behind “feature maturity.”
The same Widmeyer study revealed that the average corporation has a dozen in-house cybersecurity professionals already. Provided these professionals have up-to-date knowledge (or follow experts who do), this is a great step toward security maturity.
Another step is implementing more rigorous and advanced threat detection — that is, a sort of canary in the coal mine for everything our human specialists can’t see in time. The IT decision-makers polled here revealed that 95 percent of organizations use software-based threat amelioration and that one-quarter of them employ ten or more types of software.
What Does This Mean for Security Professionals?
It’d be hard not to spin at least some of this into good news for security professionals and companies that provide cybersecurity software and consulting.
The lack of preparedness among the average company means this type of professional is in high demand and will likely remain so. According to a Frost & Sullivan report, the year 2020 might arrive with as many as 1.5 million cybersecurity positions unfilled at the corporate level. This isn’t a great situation when you consider that cybersecurity is a national and economic issue in addition to being a reputational one.
When you look at the regions across the world, the United States sits at the lower end of the scale, and Asia-Pacific at the higher, when it comes to the portion of our corporate budgets we set aside for cybersecurity spending. On average, about a third of surveyed businesses allocated just 10 percent of their budget for this purpose. Additionally, only 57 percent of respondents indicated they were satisfied with the way their budget was allocated for threat detection.
It’s not hard to see that what looks like a windfall for security professionals is becoming a major burden for small businesses, though. If you’d have told a small business owner a hundred years ago that they would be expected to spend 10 percent of their budget on preventing people from stealing invisible information stored in the sky, you’d have been laughed at for a good long time.
And yet here we are, in the middle of a talent shortage and a worldwide, practically omnipresent fear of hacking. We can’t even swipe our credit cards at an ATM without patting the machine down for skimmers first. Given the scope and breadth of our digital worries, and the number of companies that now must take them seriously, security professionals these days needn’t have gone to school for a general four-year computer science degree any longer — companies open themselves up to talent with a broad variety of backgrounds, including nontraditional ones.
Meanwhile, the barrier of entry, when it comes to small businesses hoping to compete with those already established, is only likely to rise in costliness. In other words, there seems to be a choice in front of business leaders: invest in cybersecurity measures now, which may or may not work for your particular needs, or hope for the best and save some money on what would have been yet another line-item in your budget.
The Ponemon Institute found that major corporations that “lose” customer data can be on the hook for total financial losses of up to $4 billion in some cases. The huge financial burden somehow looks even worse when you get granular — general business records, when lost to cybercriminals, represents a loss of around $150 per “record.”
Health records, largely because of the robust laws surrounding digital patient information, are an even larger financial liability at around $350 per record. Multiply these numbers by thousands or tens of millions and you have some idea of the scope of the problem — for small businesses and corporations alike.
Apart from paying fines to regulatory bodies, the full cost of a data breach balloons further when you add court fees, investigative procedures and, ultimately, the inevitable spending later on when companies flesh out their cybersecurity capabilities reactively.
What Does This Mean for the World?
There’s one final wrinkle here worth mentioning, and it effectively brings together much of what we’ve talked about — hiring processes, talent shortages and corporate vigilance against threats — and introduces a cultural element to top it all off. It’s clear that technology alone can’t deliver us from technology-based cyber-threats.
And it’s obvious why — according to some authoritative voices, about three-quarters of data breaches are carried out by somebody within the organization. All the security software in the world won’t save your data if the people handling it aren’t trustworthy.
At some point, none of the precautionary measures we’ve dreamt up will matter even a little bit if we don’t tackle the social and cultural patterns — greed, unnecessary want, ritualized nihilism — that result in material and digital theft in the first place.