Editor's note: The following is a guest article from Marc Mazur, research specialist at Info-Tech Research Group. He covers research on security operations, security strategy, ransomware, insider threat, and zero trust.
We're long overdue for a sea change in our approach to digital security. Making this change a reality largely depends on how willing we are — as individuals and organizations — to rethink priorities.
That might be easier said than done.
Security often seems to be the last thing anyone wants to talk about, likely because it can be an annoying facet of the average end-user's day. Everyone complains about having to remember multiple, unique passwords. Or having to change them often. Or having to call the helpdesk when they get locked out. Users complain even more when IT adds dual-factor authentication to the mix.
In theory, everyone wants to be more secure — as long as it isn't an inconvenience.
The same logic plays out for CIOs and IT leaders, except now the stumbling block revolves around revenue, or a lack thereof.
For any organizational decision-maker, security can be expensive in a way that a CRM system is not. Unlike that shiny new platform that drives sales, investing in security doesn't directly drive revenue.
It's a difficult conversation to have with stakeholders: "Buy this and incur this cost because I say we need it. And, by the way, there's no return."
These roadblocks have left IT in the admittedly difficult position of trying to stay ahead of the threat curve armed with insufficient resources. Unfortunately, a fast-changing external threat environment is turning up the heat even more.
Something's got to give, and IT leaders need to change the way they sell security internally. The old narrative of trying to convince those who control budgets that security's a form of high-tech insurance just doesn't hold water in an age where attacks are becoming more frequent, varied and virulent.
The conversation must shift in a more strategically-aligned direction, where everyone understands that security is no longer a tertiary, end-of-line expense, but an integral component of IT and business strategy.
The existential threat of a security failure to an organization's very ability to operate should be a sobering wake-up call to any IT or business leader. Yet as frightening as this prospect may seem, it is actually a blessing in disguise, because it opens the door to have the kind of conversation about security that's long overdue.
In the process, it allows organizations to build strong foundations on which they can pursue future technology trends.
In short, businesses needs to get back to basics by encouraging the creation of a culture of security where "security-first" thinking is built into every layer of IT planning and operations and, begging for budget is a thing of the past. Everyone would understand how a secure foundation flows directly to the bottom line. Failure to do so will expose the organization to unnecessary risks — and potentially create unaffordable costs.
To initiate this crucial discussion, here are the three most pressing drivers of this change — and how they are impacting near- and long-term IT planning and operations — for CIOs to focus on as they try to build a future-ready security culture:
Cloud migration: Beyond changing the way infrastructure, applications, and data are managed, cloud-based services are at the root of a wholesale shift in how security is planned and deployed. Traditional security models designed for on-premises systems simply aren't enough as workloads migrate to the cloud. Each cloud migration initiative must begin with a level-set around how security will work within this new environment.
Data security: In 2020, data security is security, full stop, and IT's primary mission must be maintaining the integrity of all data entrusted to it. The continued prevalence of headlines blaring high-profile breaches and attacks suggests this high-priority reality isn't being internalized. Begin the security conversation with an innate understanding of the organizational data map, and the processes, both current and planned, that are used to manage it all.
Artificial intelligence: There isn't enough budget in the world — or enough people or time — to cover all the presently known and anticipated threats. CIOs need to leverage existing and planned investments in AI to allow security resources to cover a wider range of security-related needs. AI-driven automation holds significant potential to extend IT's reach without busting the budget.
Ultimately, security finds itself on the cusp of a major shift in perception, from an unavoidable cost to a core driver of organizational competitiveness. The conversation may be a difficult one to initiate, but the payoffs for doing are so impactful.