According to the report, 71% of enterprises have experienced or expect to experience an internal breach in the next 12–18 months, and 62% expect or have experienced an external breach in the same period. This is an arresting finding – this sense of inevitability among executives could be pushing security down the list of concerns.
When asked about the biggest inhibitor of their enterprise security readiness, the top respondent’s answer was: limited support from the corporate or executive level management.
The way forward
With government regulators and customers more focused on information and data security, enterprises would be well advised to bring in the expertise and execution capabilities to patch holes and build a security-focused business culture as the business drives forward.
Security policy development should not be a one-time check-the-box activity for compliance, however. Just under half (48%) of enterprises review their security policy every year, but large enterprises are leading the way, with 38% indicating that they review their security policy every quarter.
It is important to regularly review and update security policies to take account of changing technologies, business practices, and new hires. For example, with the rise of the contingent workforce, it is increasingly challenging to stay abreast of how many people an organization employs, which applications they each have access to, and what editing rights they have once they access these applications.
The report concludes with some pragmatic recommendations for organizations to improve their cybersecurity:
- Put your money where your mouth is. Highlighting security as a top corporate initiative is positive, but the C-suite must follow this up with an investment commitment.
- Articulate the importance of security. Security professionals and executives must work harder together to articulate the importance of security to their board.
- Treat your security policy and access control rights as living documents that require updating regularly. Security threats appear out of nowhere; policies and controls relevant a month ago may not be now.
- Consider the security implications of all new business initiatives you embark upon. Ensure that security plays an integral role in all new IT projects.
- Give equal weight to your current environment. Be honest with yourself about current security risks across people, processes, and technology.
- Use an external security service provider for strategic and tactical assistance. Security service providers can help you develop a security strategy and implement security solutions. They can also offer threat intelligence, detection, incident response, and ongoing management services. They are likely to be able to perform in some areas more effectively than your internal security team, because it is difficult to stay abreast of all potential threats on an ongoing basis.
- Be open-minded when selecting an external security service provider. There are different types of security service providers in the market, with different core capabilities. Security teams should work closely with the C-Suite to identify gaps and establish preferred services to contract.