Cyber Security is a high priority issue for enterprises globally. This should not surprise anyone. The risk of underinvestment is enormous, both indirectly and directly. This risk is only matched by the outcomes of significant transgression. Add to this that if there is an issue, as with most crisis situations, the coverup is often even worse than the initial incident.
Equifax is the latest example of a CEO being (finally) toppled by a massive breach, and subsequent inept crisis management. Some small mercy to the 145 million who had their identity compromised.
capioIT has often discussed the lack of senior management education and understanding of the risk and management of cyber and security threats. This is still an issue. Education will take time.
Other issues involve the relationship between the CISO (Chief Information Security Officer) role and IT. Who does it report to? Where does autonomy lie? Who owns the budget?
Best practice is now focused on having the CISO report into the highest levels of the organisation, with direct board connections, particularly with the risk function. This may be the COO, CFO or CEO. It is not undermining the role of the CIO, rather reflect where the focus has to be, the education is required and where the cost and negative outcomes will occur if there is any breach (which there will be).
On the vendor side, there is of course, a rush to offer the most easy solution to cyber and security. The problem for the industry is that security technology is the most fragmented sector of the technology ecosystem. A small number of vendors provide a partly comprehensive solution approach to security and cyber, but no one vendor has a full end to end solution. To get a solution that allows the enterprise or agency to be at least standing still in the battle for cyber strength requires multiple vendors, with significant integration that takes time and costs money.
As a result of the speed imperative, it is concerning to that at capioIT we regularly talk with enterprises and agencies that have discarded the discipline around procurement for Cyber Security. Budgets are booming, faster than virtually any other enterprise expenditure.
Whilst for some, procurement, and the CPO role is considered a burden in the enterprise, it does provide a framework and discipline for cyber, just as it does for travel, devices or other categories of expense. Just rushing in and buying with no procurement discipline and as a result without regard to cost, contract, or capacity is in the short-term tempting but runs the risk of further removing or delaying the solution to Cyber from the front line of risk to the organisation.
To achieve this it comes to education. Include procurement up front as you do with any expenditure. Educate them on the requirements. Get them engaged as appropriate with the vendors. Otherwise, run the risk of long-term pain that may impact the entire organisations.
Cyber Security is a critical industry requirement. Unfortunately, a lack of education, understanding of risk and a very fragmented vendor environment have resulted in a situation where the solutions do not match the threat. This is a challenge across the organisation. Procurement is not insulated from this. They must be included in the overall solution for Cyber, and educated along the way. Taking this approach will ensure that long-term investments are sustainable with minimising the risk of exposure.
If you require further information, please contact Phil Hassey, CEO of capioIT. capioIT is an advisory firm focused on helping organisations to understand emerging technology as the world becomes Digital. Phil may be contacted easily in the digital and real world.