IT leaders on 2021 opportunities, challenges and key technology trends

IEEE released the results of a survey of CIOs and CTOs in the U.S., U.K., China, India and Brazil regarding the most important technologies for 2021 overall, the impact of the COVID-19 pandemic on the speed of their technology adoption and the industries expected to be most impacted by technology in the year ahead.

2021 technology trends

2021 most important technologies and challenges

Which will be the most important technologies in 2021? Among total respondents, 32% say AI and machine learning, followed by 5G (20%) and IoT (14%).

Manufacturing (19%), healthcare (18%), financial services (15%) and education (13%) are the industries that most believe will be impacted by technology in 2021, according to CIOs and CTOS surveyed.

At the same time, 52% of CIOs and CTOs see their biggest challenge in 2021 as dealing with aspects of COVID-19 recovery in relation to business operations. These challenges include a permanent hybrid remote and office work structure (22%), office and facilities reopenings and return (17%), and managing permanent remote working (13%).

However, 11% said the agility to stop and start IT initiatives as this unpredictable environment continues will be their biggest challenge. Another 11% cited online security threats, including those related to remote workers, as the biggest challenge they see in 2021.

Technology adoption, acceleration and disaster preparedness due to COVID-19

CIOs and CTOs surveyed have sped up adopting some technologies due to the pandemic:

  • 55% of respondents have accelerated adoption of cloud computing
  • 52% have accelerated 5G adoption
  • 51% have accelerated AI and machine learning

The adoption of IoT (42%), augmented and virtual reality (35%) and video conferencing (35%) technologies have also been accelerated due to the global pandemic.

Compared to a year ago, 92% of CIOs and CTOs believe their company is better prepared to respond to a potentially catastrophic interruption such as a data breach or natural disaster. What’s more, of those who say they are better prepared, 58% strongly agree that COVID-19 accelerated their preparedness.

When asked which technologies will have the greatest impact on global COVID-19 recovery, 25% of those surveyed said AI and machine learning.

Cybersecurity

The top two concerns for CIOs and CTOs when it comes to the cybersecurity of their organization are security issues related to the mobile workforce including employees bringing their own devices to work (37%) and ensuring the IoT is secure (35%). This is not surprising, since the number of connected devices such as smartphones, tablets, sensors, robots and drones is increasing dramatically.

34% of CIO and CTO respondents said they can track and manage 26-50% of devices connected to their business, while 20% of those surveyed said they could track and manage 51-75% of connected devices.

84% of global decision makers accelerating digital transformation plans

Unit4 surveyed business and IT decision makers and users working in service industries in August and September 2020, to understand how well organizations are embracing innovation and adapting to the challenges of the pandemic.

accelerating digital transformation plans

Growing people-centric innovation

The study shows that 84% of global decision makers are accelerating their digital transformation plans, in response to growing demands from users, who want more flexibility to work remotely in the future.

During COVID-19, global decision makers cited three main impacts on their enterprise applications strategies. They have become more agile in their planning (49%) and acknowledge the pace of innovation (42%) has increased, while 35% say it has sped up their investment in moving to the cloud and 24% are more comfortable failing fast.

They’ve also outlined specific priorities to enable workforces to be more productive, which shows that innovation has become much more focused on the needs of users.

As decision makers look ahead to future strategies, the research identifies the top three priorities for users, which decision makers must respond to:

  • Having the freedom to access IT systems so they can work from anywhere
  • Better tools for collaboration
  • Increased automation to reduce their workloads.

Consequently, decision makers say their future IT plans are very people-centric, listing their main objectives as: wanting to enable the flexibility of remote working, creating environments to encourage greater collaboration and empowering employees to be more productive, as well as meeting the demands of customers. Decision makers believe this is achievable by focusing on three tech-based priorities:

  • Building a simple and intuitive user interface and experience – 43%
  • Using automation to simplify and speed up workflows – 39%
  • Enabling users to communicate with enterprise applications using their preferred tools, such as Slack and WhatsApp – 38%

The adaptable organization

As many organizations transitioned to remote working during 2020, a positive outcome has been that 60% of global users say they have been more productive during lockdown. They are also predominantly satisfied that their IT systems have helped them to get the most out of their roles.

It is perhaps unsurprising that 84% of global decision makers want to encourage colleagues to work remotely more often following the lockdown, which is mirrored by 69% of global users who also want the same flexibility.

Clearly, now that organizations have proven their enterprise IT systems can handle the demands of a remote, distributed workforce there is confidence they can sustain the model.

However, there are challenges ahead, as 34% of global decision makers say they must break down silos of information across their organizations and 31% of users are reluctant to change.

On a more positive note a resounding majority (84%) say that the pandemic is forcing meaningful board discussions about future strategy, which clearly shows C-Suite decision makers are engaged.

Traditional on-premise IT systems not capable of reacting to rapid change

77% of global decision makers also believe traditional on-premise IT systems and enterprise applications are not capable of reacting to rapid change, hence why 86% say the cloud offers more flexibility, with more than two-thirds expecting their enterprise applications to be fully cloud-based in the next two years.

“New ways of working, initially broadly imposed by the global pandemic, are morphing into lasting models for the future,” said Mickey North Rizza, program vice president for IDC‘s Enterprise Applications and Digital Commerce research practice.

“Permanent technology changes, underpinned by improved collaboration, include supporting hybrid work, accelerating cloud use, increasing automation, going contactless, adopting smaller TaskApps, and extending the partnership ecosystem. Enterprise application vendors need to assess their immediate and long-term strategies for delivering collaboration platforms in conjunction with their core software.”

“If we’ve learned anything this year, it’s that the business environment can change almost overnight, and as business leaders we have to be able to reimagine our organizations and seize opportunities to secure sustainable competitive advantage,” said Mike Ettling, CEO, Unit4.

“Our study shows what is possible with continued investment in innovation and a people-first, flexible enterprise applications strategy. As many countries go back into some form of lockdown, this people-centric focus is crucial if businesses are to survive the challenges of the coming months.”

Managing risk remains a significant challenge

While COVID-19 has created new concerns and deepened traditional challenges for IT, organizations with complete insight and governance of their technology ecosystem are better positioned to achieve their priorities, a Snow Software survey of 1,000 IT leaders and 3,000 workers in the United States, United Kingdom, Germany and Australia reveals.

managing risk challenge

The challenge of managing risk

In fact, mature technology intelligence – defined as the ability to understand and manage all technology resources – correlated to resilience and growth. Of the IT leaders classified as having mature technology intelligence, 79% were confident in their organization’s ability to weather current events and 100% indicated that innovation continues to be a strategic focus for their organization.

“IT teams around the world had to contend with extraordinary challenges this year due to the impact of COVID-19,” said Alastair Pooley, CIO at Snow.

“The complexities, risks and budget concerns IT departments traditionally face have been exacerbated, and a rapid acceleration of digital transformation and cloud adoption has brought new issues to the forefront. Now more than ever, IT leaders need to be in a position to quickly adapt to these macro trends as they define their top technology priorities in 2021.”

Technology management has become increasingly difficult

Many IT leaders indicated increases in technology spend across the board – on software, hardware, SaaS and cloud – over the past 12 months. Faced with more complex ecosystems, it is no surprise that 63% also reported technology management had become more difficult.

As anticipated budget restrictions go into effect for 2021, IT leaders will need to demonstrate the value of their investments and ensure proper governance over their entire technology stack.

Improved employee perception of IT

Employee perception of IT has improved, but differing perceptions on technology management and procurement hint at potential issues. While 41% of workers believe that access to technology has improved, there remains a 22-point gap between IT leaders and employees on how easy it is to purchase software, applications or cloud services.

This is not the only area where IT leaders and workers have varying views. Though they agree that security is the number one issue caused by unmanaged and unaccounted for technology, awareness of additional issues drops dramatically after that, with 16% of workers believing it causes no business issues whatsoever.

The data suggests continued challenges ahead for organizations as they try to reduce risk across the board.

Vendor audits a looming but potentially underestimated risk in 2021

87% of IT leaders said they had been audited by a software vendor over the last 12 months.

The vendors that audited the most were Microsoft, IBM, Oracle, Adobe and SAP. Yet only 51% said they were concerned about audits over the next 12 months, an answer that varied wildly based on geography – 81% of US leaders said they were concerned compared to just 30% in Germany and 42% in the UK.

Based on 2020 trends as well as vendor behavior following the 2008 recession, it appears European IT leaders are significantly underestimating this risk.

Organization’s top IT priorities

Organization’s top IT priorities are inherently at odds with each other and often align with the IT department’s biggest challenges. IT leaders reported that their organization’s top priorities in 2020 were adopting new technologies (38%), reducing security risks (38%), reducing IT spend (38%).

They paralleled the biggest challenges IT leaders faced over the past 12 months with managing cybersecurity threats (43%), implementing new technologies (40%) and supporting remote work (39%). Juggling these conflicting and difficult priorities became even more complicated in light of COVID-19.

Few meeting the bar for mature technology intelligence

Strong technology intelligence enabled IT leaders to more effectively tackle their top priorities and challenges. Just 14% of IT leaders met the bar for mature technology intelligence. This elite group outpaced other respondents in their ability to support digital transformation, reduce risk, enable employees and control spend.

“As we collectively look ahead to 2021, it’s more important than ever that CIOs and IT leaders strike the right balance between managing risk and remaining agile in the face of continued unpredictability,” said Pooley.

“It is clear from the data that a comprehensive understanding of technology resources and the ability to manage them is a key differentiator. IT leaders can use the insights to endure challenging periods like the pandemic, as well as embrace innovation to drive future growth and resilience.”

Enterprises embrace Kubernetes, but lack security tools to mitigate risk

Businesses increasingly embrace the moving of multiple applications to the cloud using containers and utilize Kubernetes for orchestration, according to Zettaset.

embrace Kubernetes

However, findings also confirm that organizations are inadequately securing the data stored in these new cloud-native environments and continue to leverage existing legacy security technology as a solution.

Businesses are faced with significant IT-related challenges as they strive to keep up with the demands of digital transformation. Now more than ever to maintain a competitive edge, companies are rapidly developing and deploying new applications.

Companies must invest in high performance data protection

The adoption of containers, microservices and Kubernetes for orchestration play a significant role in these digital acceleration efforts. And yet, while many companies are eager to adopt these new cloud-native technologies, research shows that companies are not accurately weighing the benefits of enterprise IT innovation with inherent security risks.

“Data security should be a fundamental requirement for any enterprise organization and the adoption of new technology should not change that,” said Tim Reilly, CEO, Zettaset.

“Our goal with this research was to determine whether enterprise organizations who are actively transitioning from DevOps to DevSecOps are investing in proper security and data protection technology. And while findings confirm that companies are in fact making the strategic decision to shift towards cloud-native environments, they are currently ill-equipped to secure their company’s most critical asset: data.

“Companies must invest in high performance data protection so as it to secure critical information in real-time across any architecture.”

The conclusions

  • Organizations are embracing the cloud and cloud-native technologies: 39% of respondents have multiple production applications deployed on Kubernetes. But, companies are still struggling with the complexities associated with these environments and how to secure deployments.
  • Cloud providers offer considerable influence with regards to Kubernetes distribution: A little over half of those surveyed are using open source Kubernetes available through the Cloud Native Computing Foundation (CNCF). And 34.7% of respondents are using a Kubernetes offering managed by an existing cloud provider such as AWS, Google, Azure, and IBM.
  • Kubernetes security best practices have yet to be identified: 60.1% of respondents believe there is a lack of proper education and awareness of the proper ways to mitigate risk associated with storing data in cloud-native environments. And 43.2% are confident that multiple vulnerable attack surfaces are created with the introduction of Kubernetes.
  • Companies have yet to evolve their existing security strategies: Almost half of respondents (46.5%) are using traditional data encryption tools to protect their data stored in Kubernetes clusters. Over 20% are finding that these traditional tools are not performing as desired.

embrace Kubernetes

“The results of our research substantiate the notion that enterprise organizations are moving forward with cloud-native technologies such as containers and Kubernetes. What we were most interested in discovering was how these companies are approaching security,” said Charles Kolodgy, security strategist and author of the report.

“Companies overall are concerned about the wide range of potential attack surfaces. They are applying legacy solutions but those are not designed to handle today’s ever-evolving threat landscape, especially as data is being moved off-premise to cloud-based environments.

“To stay ahead of what’s to come, companies must look to solutions purposely built to operate in a Kubernetes environment.”

What CIOs must do to create resilient and adaptive future enterprises

As the chief owners of the digital infrastructure that underpins all aspects of modern enterprises, CIOs must play pivotal roles in the road to recovery, “seeking the next normal” while still performing their traditional roles. A new IDC study outlines concrete actions that CIOs can and must take to create resilient and adaptive future enterprises with technology.

CIOs resilient

“In a time of turbulence and uncertainty, CIOs and senior IT leaders must discern how IT will enable the future growth and success of their enterprise while ensuring its resilience,” said Serge Findling, VP of Research for IDC‘s IT Executive Programs (IEP).

“The ten predictions in this study outline key actions that will define the winners in recovering from current adverse events, building resilience, and enabling future growth.”

Predictions to keep CIOs resilient

Prediction 1 – #CIOAIOPS: By 2022, 65% of CIOs will digitally empower and enable front-line workers with data, AI, and security to extend their productivity, adaptability, and decision-making in the face of rapid changes.

Prediction 2 – #Risks: Unable to find adaptive ways to counter escalating cyberattacks, unrest, trade wars, and sudden collapses, 30% of CIOs will fail in protecting trust —the foundation of customer confidence — by 2021.

Prediction 3 – #TechnicalDebt: Through 2023, coping with technical debt accumulated during the pandemic will shadow 70% of CIOs, causing financial stress, inertial drag on IT agility, and “forced march” migrations to the cloud.

Prediction 4 – #CIORole: By 2023, global crises will make 75% of CIOs integral to business decision making as digital infrastructure becomes the business OS while moving from business continuation to re-conceptualization.

Prediction 5 – #Automation: To support safe, distributed work environments, 50% of CIOs will accelerate robotization, automation, and augmentation by 2024, making change management a formidable imperative.

Prediction 6 – #RollingCrisis: By 2023, CIO-led adversity centers will become a permanent fixture in 65% of enterprises, focused on building resilience with digital infrastructure, and flexible funding for diverse scenarios.

Prediction 7 – #CX: By 2025, 80% of CIOs alongside LOBs will implement intelligent capabilities to sense, learn, and predict changing customer behaviors, enabling exclusive customer experiences for engagement and loyalty.

Prediction 8 – #Low/NoCode: By 2025, 60% of CIOs will implement governance for low/no-code tools to increase IT and business productivity, help LOB developers meet unpredictable needs, and foster innovation at the edge.

Prediction 9 – #ControlSystems: By 2025, 65% of CIOs will implement ecosystem, application, and infrastructure control systems founded on interoperability, flexibility, scalability, portability, and timeliness.

Prediction 10 – #Compliance: By 2024, 75% of CIOs will absorb new accountabilities for the management of operational health, welfare, and employee location data for underwriting, health, safety, and tax compliance purposes.

Enterprises should strive for composability to be resilient during uncertainty

CIOs and IT leaders who use composability to deal with continuing business disruption due to the COVID-19 pandemic and other factors will make their enterprises more resilient, more sustainable and make more meaningful contributions, according to Gartner.

composable business resilience

Analysts said that composable business means architecting for resilience and accepting that disruptive change is the norm. It supports a business that exploits the disruptions digital technology brings by making things modular – mixing and matching business functions to orchestrate the proper outcomes.

It supports a business that senses – or discovers – when change needs to happen; and then uses autonomous business units to creatively respond.

For some enterprises digital strategies became real for the first time

According to the 2021 Gartner Board of Directors survey, 69% of corporate directors want to accelerate enterprise digital strategies and implementations to help deal with the ongoing disruption. For some enterprises that means that their digital strategies became real for the first time, and for others that means rapidly scaling digital investments.

“Composable business is a natural acceleration of the digital business that organizations live every day,” said Daryl Plummer, research VP, Chief of Research and Gartner Fellow. “It allows organizations to finally deliver the resilience and agility that these interesting times demand.”

Don Scheibenreif, research VP at Gartner, explained that composable business starts with three building blocks — composable thinking, which ensures creative thinking is never lost; composable business architecture, which ensure flexibility and resiliency; and composable technologies, which are the tools for today and tomorrow.

“The world today demands something different from us. Composing – flexible, fluid, continuous, even improvisational – is how we will move forward. That is why composable business is more important than ever,” said Mr. Scheibenreif.

“During the COVID-19 pandemic crisis, most CIOs leveraged their organizations existing digital investments, and some CIOs accelerated their digital strategies by investing in some of the three composable building blocks,” said Tina Nunno, research VP and Gartner Fellow.

“To ensure their organizations were resilient, many CIOs also applied at least one of the four critical principles of composability, gaining more speed through discovery, greater agility through modularity, better leadership through orchestration, and resilience through autonomy.”

Composable business resilience

Analysts said that these four principles can be viewed differently depending on which building block organizations are working with:

  • In composable thinking, these are design principles. They guide an organization’s approach to conceptualizing what to compose, and when.
  • In composable business architecture, they are structural capabilities, giving an organization the mechanisms to use in architecting its business.
  • In composable technologies, they are product design goals driving the features of technology that support the notions of composability.

“In the end, organizations need the principles and the building blocks to intentionally make composability real,” said Mr. Plummer.

The building blocks of composability can be used to pivot quickly to a new opportunity, industry, customer base or revenue stream. For example, a large Chinese retailer used composability when the pandemic hit to help re-architect their business. They used composable thinking and chose to pivot to live streaming sales activities.

They embraced social marketing technology and successfully retained over 5,000 in-store sales and customer support staff to become live streaming hosts. The retailer suffered no layoffs and minimal revenue loss.

“Throughout 2020, CIOs and IT leaders maintained their composure and delivered tremendous value,” said Ms. Nunno. “The next step is to create a more composable business using the three building blocks and applying the four principles. With composability, organizations can achieve digital acceleration, greater resiliency and the ability to innovate through disruption.”

Cloud environment complexity has surpassed human ability to manage

IT leaders are increasingly concerned accelerated digital transformation, combined with the complexity of modern multicloud environments, is putting already stretched digital teams under too much pressure, a Dynatrace survey of 700 CIOs reveals.

cloud environment complexity

This leaves little time for innovation, and limits teams’ ability to prioritize tasks that drive greater value and better outcomes for the business and its customers.

Key findings

  • 89% of CIOs say digital transformation has accelerated in the last 12 months, and 58% predict it will continue to speed up.
  • 86% of organizations are using cloud-native technologies, including microservices, containers, and Kubernetes, to accelerate innovation and achieve more successful business outcomes.
  • 63% of CIOs say the complexity of their cloud environment has surpassed human ability to manage.
  • 44% of IT and cloud operations teams’ time is spent on manual, routine work just ‘keeping the lights on’, costing organizations an average of $4.8 million per year.
  • 56% of CIOs say they are almost never able to complete everything the business needs from IT.
  • 70% of CIOs say their team is forced to spend too much time doing manual tasks that could be automated if only they had the means.

“The benefits of IT and business automation extend far beyond cost savings. Organizations need this capability – to drive revenue, stay connected with customers, and keep employees productive – or they face extinction,” said Bernd Greifeneder, CTO at Dynatrace.

“Increased automation enables digital teams to take full advantage of the ever-growing volume and variety of observability data from their increasingly complex, multicloud, containerized environments. With the right observability platform, teams can turn this data into actionable answers, driving a cultural change across the organization and freeing up their scarce engineering resources to focus on what matters most – customers and the business.”

Cloud environment complexity

  • Organizations are using cloud-native technologies including microservices (70%), containers (70%) and Kubernetes (54%) to advance innovation and achieve more successful business outcomes.
  • However, 74% of CIOs say the growing use of cloud-native technologies will lead to more manual effort and time spent ‘keeping the lights on’.

Traditional tools and manual effort cannot keep up

  • On average, organizations are using 10 monitoring solutions across their technology stacks. However, digital teams only have full observability into 11% of their application and infrastructure environments.
  • 90% of CIOs say there are barriers preventing them from monitoring a greater proportion of their applications.
  • The dynamic nature of today’s hybrid, multicloud ecosystems amplifies complexity. 61% of CIOs say their IT environment changes every minute or less, while 32% say their environment changes at least once every second.

CIOs call for radical change

  • 74% of CIOs say their organization will lose its competitive edge if IT is unable to spend less time ‘keeping the lights on’.
  • 84% said the only effective way forward is to reduce the number of tools and amount of manual effort IT teams invest in monitoring and managing the cloud and user-experience.
  • 72% said they cannot keep plugging monitoring tools together to maintain observability. Instead, they need a single platform covering all use cases and offering a consistent source of truth.

cloud environment complexity

Observability, automation, and AI are key

  • 93% of CIOs said AI-assistance will be critical to IT’s ability to cope with increasing workloads and deliver maximum value to the business.
  • CIOs expect automation in cloud and IT operations will reduce the amount of time spent ‘keeping the lights on’ by 38%, saving organizations $2 million per year, on average.
  • Despite this advantage, just 19% of all repeatable operations processes for digital experience management and observability have been automated.

“History has shown successful organizations use disruptive moments to their advantage,” added Greifeneder. “Now is the time to break silos, establish a true BizDevOps approach, and deliver agile processes across a consistent, continuous delivery stack.

“This is essential for effective and intelligent automation and, more importantly, to enable engineers to take more end-to-end responsibility for the outcomes and value they create for the business.”

Major gaps in virtual appliance security plague organizations

As evolution to the cloud is accelerated by digital transformation across industries, virtual appliance security has fallen behind, Orca Security reveals.

virtual appliance security

Virtual appliance security

The report illuminated major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.

To help move the cloud security industry towards a safer future and reduce risks for customers, 2,218 virtual appliance images from 540 software vendors were analyzed for known vulnerabilities and other risks to provide an objective assessment score and ranking.

Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments.

“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, CEO, Orca Security.

“The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers.”

Known vulnerabilities run rampant

Most software vendors are distributing virtual appliances with known vulnerabilities and exploitable and fixable security flaws.

  • The research found that less than 8 percent of virtual appliances (177) were free of known vulnerabilities. In total, 401,571 vulnerabilities were discovered across the 2,218 virtual appliances from 540 software vendors.
  • For this research, 17 critical vulnerabilities were identified, deemed to have serious implications if found unaddressed in a virtual appliance. Some of these well-known and
    easily exploitable vulnerabilities included: EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
  • Meanwhile, 15 percent of virtual appliances received an F rating, deemed to have failed the research test.
  • More than half of tested virtual appliances were below an average grade, with 56 percent obtaining a C rating or below (15.1 percent F; 16.1 percent D; 25 percent C).
  • However, due to a retesting of the 287 updates made by software vendors after receiving findings, the average grade of these rescanned virtual appliances has increased from a B to an A.

Outdated appliances increase risk

Multiple virtual appliances were at security risk from age and lack of updates. The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.

  • The research found that only 14 percent (312) of the virtual appliance images had been updated within the last three months.
  • Meanwhile, 47 percent (1,049) had not been updated within the last year; 5 percent (110) had been neglected for at least three years, and 11 percent (243) were running on out of date or EOL operating systems.
  • Although, some outdated virtual appliances have been updated after initial testing. For example, Redis Labs had a product that scored an F due to an out-of-date operating system and many vulnerabilities, but now scored an A+ after updates.

The silver lining

Under the principle of Coordinated Vulnerability Disclosure, researchers emailed each vendor directly, giving them the opportunity to fix their security issues. Fortunately, the tests have started to move the cloud security industry forward.

As a direct result of this research, vendors reported that 36,259 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution. Some of these key corrections or updates included:

  • Dell EMC issued a critical security advisory for its CloudBoost Virtual Edition
  • Cisco published fixes to 15 security issues found in the one of its virtual appliances scanned in the research
  • IBM updated or removed three of its virtual appliances within a week
  • Symantec removed three poorly scoring products
  • Splunk, Oracle, IBM, Kaspersky Labs and Cloudflare also removed products
  • Zoho updated half of its most vulnerable products
  • Qualys updated a 26-month-old virtual appliance that included a user enumeration vulnerability that Qualys itself had discovered and reported in 2018

Maintaining virtual appliances

For customers and software vendors concerned about the issues illuminated in the report, there are corrective and preventive actions that can be taken. Software suppliers should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified.

When vulnerabilities are discovered, the product should be patched or discontinued for use. Meanwhile, vulnerability management tools can also discover virtual appliances and scan them for known issues. Finally, companies should also use these tools to scan all virtual appliances for vulnerabilities before use as supplied by any software vendor.

Securing mobile devices, apps, and users should be every CIO’s top priority

More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.

securing mobile devices apps

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.

Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.

Mobile devices and a new threat landscape

The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.

“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.

“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”

The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.

Hybrid Henry

  • Typically works in financial services, professional services or the public sector.
  • Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
  • Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
  • Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.

Mobile Molly

  • Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
  • Relies on remote collaboration tools and cloud suites to get work done.
  • Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
  • Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
  • This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.

Desktop Dora

  • Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
  • Prefers to work on a desktop computer from a fixed location than on mobile devices.
  • Relies heavily on productivity suites to communicate with colleagues in and out of the office.
  • Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.

Frontline Fred

  • Works on the frontlines in industries like healthcare, logistics or retail.
  • Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
  • Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
  • Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.

“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.

“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.

“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”

How do I select a data storage solution for my business?

We live in the age of data. We are constantly producing it, analyzing it, figuring out how to store and protect it, and, hopefully, using it to refine business practices. Unfortunately, 58% of organizations make decisions based on outdated data.

While enterprises are rapidly deploying technologies for real-time analytics, machine learning and IoT, they are still utilizing legacy storage solutions that are not designed for such data-intensive workloads.

To select a suitable data storage for your business, you need to think about a variety of factors. We’ve talked to several industry leaders to get their insight on the topic.

Phil Bullinger, SVP and General Manager, Data Center Business Unit, Western Digital

select data storage solutionSelecting the right data storage solution for your enterprise requires evaluating and balancing many factors. The most important is aligning the performance and capabilities of the storage system with your critical workloads and their specific bandwidth, application latency and data availability requirements. For example, if your business wants to gain greater insight and value from data through AI, your storage system should be designed to support the accelerated performance and scale requirements of analytics workloads.

Storage systems that maximize the performance potential of solid state drives (SSDs) and the efficiency and scalability of hard disk drives (HDDs) provide the flexibility and configurability to meet a wide range of application workloads.

Your applications should also drive the essential architecture of your storage system, whether directly connected or networked, whether required to store and deliver data as blocks, files, objects or all three, and whether the storage system must efficiently support a wide range of workloads while prioritizing the performance of the most demanding applications.

Consideration should be given to your overall IT data management architecture to support the scalability, data protection, and business continuity assurance required for your enterprise, spanning from core data centers to those distributed at or near the edge and endpoints of your enterprise operations, and integration with your cloud-resident applications, compute and data storage services and resources.

Ben Gitenstein, VP of Product Management, Qumulo

select data storage solutionWhen searching for the right data storage solution to support your organizational needs today and in the future, it’s important to select a solution that is trusted, scalable to secure demanding workloads of any size, and ensures optimal performance of applications and workloads both on premises and in complex, multi- cloud environments.

With the recent pandemic, organizations are digitally transforming faster than ever before, and leveraging the cloud to conduct business. This makes it more important than ever that your storage solution has built in tools for data management across this ecosystem.

When evaluating storage options, be sure to do your homework and ask the right questions. Is it a trusted provider? Would it integrate well within my existing technology infrastructure? Your storage solution should be easy to manage and meet the scale, performance and cloud requirements for any data environment and across multi-cloud environments.

Also, be sure the storage solution gives IT control in how they manage storage capacity needs and delivers real-time insight into analytics and usage patterns so they can make smart storage allocation decisions and maximize an organizations’ storage budget.

David Huskisson, Senior Solutions Manager, Pure Storage

select data storage solutionData backup and disaster recovery features are critically important when selecting a storage solution for your business, as now no organization is immune to ransomware attacks. When systems go down, they need to be recovered as quickly and safely as possibly.

Look for solutions that offer simplicity in management, can ensure backups are viable even when admin credentials are compromised, and can be restored quickly enough to greatly reduce major organizational or financial impact.

Storage solutions that are purpose-built to handle unstructured data are a strong place to start. By definition, unstructured data means unpredictable data that can take any form, size or shape, and can be accessed in any pattern. These capabilities can accelerate small, large, random or sequential data, and consolidate a wide range of workloads on a unified fast file and object storage platform. It should maintain its performance even as the amount of data grows.

If you have an existing backup product, you don’t need to rip and replace it. There are storage platforms with robust integrations that work seamlessly with existing solutions and offer a wide range of data-protection architectures so you can ensure business continuity amid changes.

Tunio Zafer, CEO, pCloud

select data storage solutionBear in mind: your security team needs to assist. Answer these questions to find the right solution: Do you need ‘cold’ storage or cloud storage? If you’re looking to only store files for backup, you need a cloud backup service. If you’re looking to store, edit and share, go for cloud storage. Where are their storage servers located? If your business is located in Europe, the safest choice is a storage service based in Europe.

Best case scenario – your company is going to grow. Look for a storage service that offers scalability. What is their data privacy policy? Research whether someone can legally access your data without your knowledge or consent. Switzerland has one of the strictest data privacy laws globally, so choosing a Swiss-based service is a safe bet. How is your data secured? Look for a service that offers robust encryption in-transit and at-rest.

Client-side encryption means that your data is secured on your device and is transferred already encrypted. What is their support package? At some point, you’re going to need help. A data storage service with a support package that’s included for free, answers in up to 24 hours is preferred.

Working together to secure our expanding connected health future

Securing medical devices is not a new challenge. Former Vice President Cheney, for example, had the wireless capabilities of a defibrillator disabled when implanted near his heart in 2007, and hospital IT departments and health providers have for years secured medical devices to protect patient data and meet HIPAA requirements.

connected health

With the expansion of security perimeters, the surge in telehealth usage (particularly during COVID-19), and proliferation in the number and types of connected technologies, healthcare cybersecurity has evolved into a more complex and urgent effort.

Today, larger hospital systems have approximately 350,000+ medical devices running simultaneously. On top of this, millions of additional connected devices are maintained by the patients themselves. Over the next 10 years, it’s estimated the number of connected medical devices could increase to roughly 50 billion, driven by innovations such as 5G, edge computing, and more. This rise in connectivity has increased the threat of cyberattacks not just to patient data, but also patient safety. Vulnerabilities in healthcare technology (e.g., an MRI machine or pacemaker) can lead to patient harm if diagnoses are delayed or the right treatments don’t get to the right people.

What can the healthcare industry do to strengthen their defenses today? How can they lay the groundwork for more secure devices and networks tomorrow?

The challenges are interconnected. The solutions cannot be siloed, and collaboration between manufacturers, doctors, healthcare delivery organizations and regulators is more critical now than ever before.

Device manufacturers: Integrating security into product design

Many organizations view medical device cybersecurity as protecting technology while it is deployed as part of a local network. Yet medical devices also need to be designed and developed with mobile and cloud security in mind, with thoughtful consideration about the patient experience. It is especially important we take this step as medical technology moves beyond the four walls of the hospital and into the homes of patients. The connected device itself needs to be secure, as opposed to the network surrounding the device.

We also need greater visibility and transparency across the medical device supply chain—a “software bill of materials.” The multicomponent nature of many medical products, such as insulin pumps or pacemakers, make the final product feel like a black box: hospitals and users know what it’s intended to do, but they don’t have much understanding about the individual components that make everything work. That makes it difficult to solve cybersecurity problems as they arise.

According to the 2019 HIMSS Cybersecurity Survey, just over 15% of significant security issues were initially started through either medical device problems in hospitals or vendor medical devices. As a result, some of these issues led to ransomware attacks exposing vulnerabilities, as healthcare providers and device makers scrambled to figure out just which of the products were at risk, while their systems were under threat. A software bill of materials would have helped them respond quickly to security, license, and operational risks.

Healthcare delivery organizations: Prioritizing preparedness and patient education

Healthcare providers, for their part, need to strengthen their threat awareness and preparedness, thinking about security from device procurement all the way to the sunsetting of legacy devices, which can extend over years and decades.

It’s currently not uncommon for healthcare facilities to use legacy technology that is 15 to 20 years old. Many of these devices are no longer supported and their security doesn’t meet the baseline of today’s evolving threats. However, as there is no replacement technology that serves the same functions, we need to provide heightened monitoring of these devices.

Threat modeling can help hospitals and providers understand their risks and increase resilience. Training and preparedness exercises are imperative in another critical area of cybersecurity: the humans operating the devices. Such exercises can put doctors, for instance, in an emergency treatment scenario with a malfunctioning device, and the discussions that follow provide valuable opportunities to educate, build awareness of, and proactively prepare for cyber threats.

Providers might consider “cybersecurity informed consent” to educate patients. When a patient signs a form before a procedure that acknowledges potential risks like infection or side effects, cyber-informed consent could include risks related to data breaches, denial of service attacks, ransomware, and more. It’s an opportunity to both manage risk and engage patients in conversations about cybersecurity, increasing trust in the technology that is essential for their health.

Regulators: Connecting a complex marketplace

The healthcare industry in the US is tremendously complex, comprised of hundreds of large healthcare systems, thousands of groups of physician practices, public and private payers, medical device manufacturers, software companies, and so on.

This expanding healthcare ecosystem can make it difficult to coordinate. Groups like the Food & Drug Administration (FDA) and the Healthcare Sector Coordinating Council have been rising to the challenge.

They’ve assembled subgroups and task forces in areas like device development and the treatment of legacy technologies. They’ve been reaching out to hospitals, patients, medical device manufacturers, and others to strengthen information-sharing and preparedness, to move toward a more open, collaborative cybersecurity environment.

Last year, the FDA issued a safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication that impacted more than 20 types of implantable cardiac devices, programmers, and home monitors. Later in 2019, the same device maker recalled thousands of insulin pumps due to unpatchable cyber vulnerabilities.

These are but two examples of many that demonstrate not only the impact of cybersecurity to patient health but to device makers and the healthcare system at large. Connected health should give patients access to approved technologies that can save lives without introducing risks to patient safety.

As the world continues to realize the promise of connected technologies, we must monitor threats, manage risks, and increase our network resilience. Working together to incorporate cybersecurity into device design, industry regulations, provider resilience, and patient education are where we should start.

Contributing author: Shannon Lantzy, Chief Scientist, Booz Allen Hamilton.

Cybersecurity practices are becoming more formal, security teams are expanding

Organizations are building confidence that their cybersecurity practices are headed in the right direction, aided by advanced technologies, more detailed processes, comprehensive education and specialized skills, a research from CompTIA finds.

cybersecurity practices

Eight in 10 organizations surveyed said their cybersecurity practices are improving.

At the same time, many companies acknowledge that there is still more to do to make their security posture even more robust. Growing concerns about the number, scale and variety of cyberattacks, privacy considerations, a greater reliance on data and regulatory compliance are among the issues that have the attention of business and IT leaders.

Elevating cybersecurity

Two factors – one anticipated, the other unexpected – have contributed to the heightened awareness about the need for strong cybersecurity measures.

“The COVID-19 pandemic has been the primary trigger for revisiting security,” said Seth Robinson, senior director for technology analysis at CompTIA. “The massive shift to remote work exposed vulnerabilities in workforce knowledge and connectivity, while phishing emails preyed on new health concerns.”

Robinson noted that the pandemic accelerated changes that were underway in many organizations that were undergoing the digital transformation of their business operations.

“This transformation elevated cybersecurity from an element within IT operations to an overarching business concern that demands executive-level attention,” he said. “It has become a critical business function, on par with a company’s financial procedures.”

As a result, companies have a better understanding of what do about cybersecurity. Nine in 10 organizations said their cybersecurity processes have become more formal and more critical.

Two examples are risk management, where companies assess their data and their systems to determine the level of security that each requires; and monitoring and measurement, where security efforts are continually tracked and new metrics are established to tie security activity to business objectives.

IT teams foundational skills

The report also highlights how the “cybersecurity chain” has expanded to include upper management, boards of directors, business units and outside firms in addition to IT personnel in conversations and decisions.

Within IT teams, foundational skills such as network and endpoint security have been paired with new skills, including identity management and application security, that have become more important as cloud and mobility have taken hold.

On the horizon, expect to see skills related to security monitoring and other proactive tactics gain a bigger foothold. Examples include data analysis, threat knowledge and understanding the regulatory landscape.

Cybersecurity insurance is another emerging area. The report reveals that 45% of large companies, 41% of mid-sized firms and 37% of small businesses currently have a cyber insurance policy.

Common coverage areas include the cost of restoring data (56% of policy holders), the cost of finding the root cause of a breach (47%), coverage for third-party incidents (43%) and response to ransomware (42%).

Why CIOs need to focus on password exposure, not expiration

The cybersecurity market is growing even in the midst of the pandemic-driven economic downturn, with spending predicted to reach $123 billion by the end of the year. While disruptive technologies are undoubtedly behind much of this market growth, companies cannot afford to overlook security basics.

focus on password exposure

Biometrics may be a media darling, but the truth is that passwords will remain the primary authentication mechanism for the foreseeable future. But while passwords may not be a cutting-edge security innovation, that’s not to suggest that CIOs don’t need to modernize their approach to password management.

Mandatory password resets

Employees’ poor password management practices are well-documented, with Google finding that 65% of people use the same password for multiple, if not all, online accounts. To circumvent the security risks associated with this behavior, companies have historically focused on periodic password resets. Seventy-seven percent of IT departments surveyed by Forrester in 2016 were expiring passwords for all staff on a quarterly basis.

This approach made sense in the early days of the digital age, when employees typically only had a handful of passwords to remember. I’d argue that times had already changed by 2016, but we are certainly in an entirely different landscape today. As digital transformation accelerates and employees are faced with managing multiple passwords for all of their accounts, it’s simply no longer realistic or wise to force frequent password resets.

It’s time to retire password expiration

Both NIST and Microsoft have recently come out against forced periodic password resets for a variety of reasons, including:

  • Password expiration eats up significant resources and budget. According to Forrester, a single password reset costs $70 of help desk labor. When you multiply this by the average number of employees in a typical organization, it’s easy to see how password expiration can become an unwieldy expense and add significant pressure on overburdened IT teams.
  • It encourages poor cybersecurity practices. When users are frequently asked to change passwords they typically create weaker ones—for example, slight variants of the original password or the same root word or phrase with different special characters for each account.
  • The practice impedes efficiency and introduces friction. Forced resets have a negative impact on productivity as employees often struggle to remember their passwords. One recent study found that 78% of people had to reset a password they forgot in the past 90 days, eating up valuable time that could have better been deployed elsewhere. In addition, the frustration associated with frequent changes can cause employees to seek a workaround or engage in poor security practices like sharing passwords among colleagues or reusing personal passwords for corporate accounts.

Exposure, not expiration

The fundamental purpose of passwords is to ensure that no one but the authorized user has access to the account or system in question. As such, it follows that password security has evolved from a focus on expiration to a focus on exposure. If credentials are secure, there is no reason for companies to incur the cost and other issues associated with forcing a reset. It’s critical that CIOs adopt this mindset and evaluate how they can continuously screen passwords to ensure their integrity.

Putting NIST’s recommendations into practice

According to NIST, companies should compare passwords “ …against a list that contains values known to be commonly-used, expected or compromised… The list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses
  • Dictionary words
  • Repetitive or sequential characters
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.”

Given that multiple data breaches occur in virtually every sector on a daily basis, companies need a dynamic, automated solution that can cross-reference proposed passwords against known breach data. In this environment, it’s highly likely that a password could be secure at its creation but become compromised down the road. As such, CIOs also need to monitor password security on a daily basis and take steps to protect sensitive information if a compromise is detected.

Depending on the nature of the account and the employee’s privilege this could take a variety of forms, including:

  • Stepping up MFA or additional authentication mechanisms
  • Forcing a password reset
  • Temporarily suspending access to the account

Because these actions occur only if a compromise has been detected, this modern approach to credential screening eliminates the unnecessary cost and friction associated with password expiration.

Protecting the password layer in the new normal

Replacing password expiration with password exposure will be particularly critical as CIOs manage an increasingly hybrid workforce. With Gartner finding that 74% of organizations plan to shift some employees to permanent remote work positions, it’s likely that users will be creating new digital accounts and accessing different services online.

A modern password management approach that continuously screens for any credential compromise is the best way that organizations can secure this complex environment while simultaneously encouraging productivity and reducing help desk costs.

Inadequate skills and employee burnout are the biggest barriers to digital transformation

Nearly six in ten organizations have accelerated their digital transformation due to the COVID-19 pandemic, an IBM study of global C-suite executives revealed.

barriers digital transformation

Top priorities are shifting dramatically as executives plan for an uncertain future

Digital transformation barriers

Traditional and perceived barriers like technology immaturity and employee opposition to change have fallen away – in fact, 66% of executives surveyed said they have completed initiatives that previously encountered resistance.

Participating businesses are seeing more clearly the critical role people play in driving their ongoing transformation. Leaders surveyed called out organizational complexity, inadequate skills and employee burnout as the biggest hurdles to overcome – both today and in the next two years.

The study finds a significant disconnect in how effective leaders and employees believe companies have been in addressing these gaps. 74% of executives surveyed believe they have been helping their employees learn the skills needed to work in a new way, just 38% of employees surveyed agree.

80% of executives surveyed say that they are supporting the physical and emotional health of their workforce, while just 46% of employees surveyed feel that support.

The study which includes input from more than 3,800 C-suite executives in 20 countries and 22 industries, shows that executives surveyed are facing a proliferation of initiatives due to the pandemic and having difficulty focusing, but do plan to prioritize internal and operational capabilities such as workforce skills and flexibility – critical areas to address in order to jumpstart progress.

“For many the pandemic has knocked down previous barriers to digital transformation, and leaders are increasingly relying on technology for mission-critical aspects of their enterprise operations,” said Mark Foster, senior vice president, IBM Services.

“But looking ahead, leaders need to redouble their focus on their people as well as the workflows and technology infrastructure that enable them – we can’t underestimate the power of empathetic leadership to drive employees’ confidence, effectiveness and well-being amid disruption.”

The study reveals three proactive steps that emerging leaders surveyed are taking to survive and thrive.

Improving operational scalability and flexibility

The ongoing disruption of the pandemic has shown how important it can be for businesses to be built for change. Many executives are facing demand fluctuations, new challenges to support employees working remotely and requirements to cut costs.

In addition, the study reveals that the majority of organizations are making permanent changes to their organizational strategy. For instance, 94% of executives surveyed plan to participate in platform-based business models by 2022, and many reported they will increase participation in ecosystems and partner networks.

Executing these new strategies may require a more scalable and flexible IT infrastructure. Executives are already anticipating this: the survey showed respondents plan a 20 percentage point increase in prioritization of cloud technology in the next two years.

What’s more, executives surveyed plan to move more of their business functions to the cloud over the next two years, with customer engagement and marketing being the top two cloudified functions.

Applying AI and automation to help make workflows more intelligent

COVID-19 has disrupted critical workflows and processes at the heart of many organizations’ core operations. Technologies like AI, automation and cybersecurity that could help make workflows more intelligent, responsive and secure are increasing in priority across the board for responding global executives. Over the next two years, the report finds:

  • Prioritization of AI technology will increase by 20 percentage points
  • 60% of executives surveyed say they have accelerated process automation, and many will increasingly apply automation across all business functions
  • 76% of executives surveyed plan to prioritize cybersecurity – twice as many as deploy the technology today.

As executives increasingly invest in cloud, AI, automation and other exponential technologies, leaders should keep in mind the users of that technology – their people. These digital tools should enable a positive employee experience by design, and support people’s innovation and productivity.

barriers digital transformation

COVID-19 created a sense of urgency around digital transformation

Leading, engaging and enabling the workforce in new ways

The study showed placing a renewed focus on people may be critical amid the COVID-19 pandemic while many employees are working outside of traditional offices and dealing with heightened personal stress and uncertainty.

Ongoing IBV consumer research has shown that the expectations employees have of their employers have shifted amidst the pandemic – employees now expect that their employers will take an active role in supporting their physical and emotional health as well as the skills they need to work in new ways.

To address this gap, executives should place deeper focus on their people, putting employees’ end-to-end well-being first. Empathetic leaders who encourage personal accountability and support employees to work in self-directed squads that apply design thinking, Agile principles and DevOps tools and techniques can be beneficial.

Organizations should also think about adopting a holistic, multi-modal model of skills development to help employees develop both the behavioral and technical skills required to work in the new normal and foster a culture of continuous learning.

Cybersecurity is a top priority for digital transformation

Cybersecurity is the number one technology priority for planned digital transformation projects as businesses adapt to a surge in remote working as a result of COVID-19.

cybersecurity top priority digital transformation

Cybersecurity: Main focus for planned projects

IT leaders also revealed that adapting culture quickly to new ways of working is the number one challenge they need to overcome in the next 12 months. The findings are unveiled following a survey of 600+ attendees for the upcoming DTX: NOW event.

26 percent of respondents cited cybersecurity as the main focus for planned projects, followed by cloud (21 percent), data analytics (15 percent) and network infrastructure (14 percent). According to separate research there were more hands-on-keyboard intrusions in the first half of 2020 that in the entirety of 2019.

IT leaders revealed that adapting digital culture for a new world of work was the main challenge they need to overcome in the next year (18 percent), followed by automation of business tasks and processes (14 percent), and choosing the right cloud strategy (12 percent).

Most significant barriers to digital transformation projects

The biggest barriers to delivering digital transformation projects on time and on budget reflect changing organizational dynamics that are being intensified by COVID-19. The most significant barrier to projects was revealed to be changing scope (29 percent of respondents), reduced budgets (24 percent) and changing team structure (17 percent).

The data also indicates that digital transformation has become a priority for businesses of every size. 58 percent of projects are anticipated to come in at less than £250,000, and just 22 percent have a budget of over £500,000 and 10 percent over £1 million.

“COVID-19 is a catalyst for digital transformation, but it’s a leveller too. We’re hearing from IT leaders that there is a shift in which technologies businesses are investing in.

“Ensuring the vast majority of employees could work from home practically overnight has exposed issues with IT strategy, and modernising the core tech stack has become an immediate priority for just about every organization”, said James McGough, managing director of Imago Techmedia.

“Many businesses have found that areas like cybersecurity measures, network infrastructure and cloud strategy need urgent adaptation for a distributed workforce.

“Some companies might be in a position to consider the likes of AI, blockchain and quantum computing, but the reality for most is that the future-looking, big ticket tech projects are on the back burner for now. Companies of every size are finding themselves restarting their digital transformation journeys,” McGough concluded.

Cyberwarfare predicted to damage the economy in the coming year

71% of CISOs believe cyberwarfare is a threat to their organization, and yet 22% admit to not having a strategy in place to mitigate this risk. This is especially alarming during a period of unprecedented global disruption, as 50% of infosec professionals agree that the increase of cyberwarfare will be detrimental to the economy in the next 12 months.

cyberwarfare

CISOs and infosec professionals however are shoring up their defenses — with 51% and 48% respectively stating that they believe they will need a strategy against cyberwarfare in the next 12-18 months.

These findings, and more, are revealed in Bitdefender’s global 10 in 10 Study, which highlights how, in the next 10 years, cybersecurity success lies in the adaptability of security decision makers, while simultaneously looking back into the last decade to see if valuable lessons have already been learnt about the need to make tangible changes in areas such as diversity.

It explores, in detail, the gap between how security decision makers and infosec professionals view the current security landscape and reveals the changes they know they will need to make in the upcoming months and years of the 2020s.

The study takes into account the views and opinions of more than 6,724 infosec professionals representing a broad cross-section of organizations from small 101+ employee businesses to publicly listed 10,000+ person enterprises in a wide variety of industries, including technology, finance, healthcare and government.

The rise and fall (and rise again) of ransomware

Outside of the rise of cyberwarfare threats, an old threat is rearing its head — ransomware. During the disruption of 2020, ransomware has surged with as much as 43% of infosec professionals reporting that they are seeing a rise in ransomware attacks.

What’s more concerning is that 70% of CISOs/CIOs and 63% of infosec professionals expect to see an increase in ransomware attacks in the next 12-18 months. This is of particular interest as 49% of CISOs/CIOs and 42% of infosec professionals are worried that a ransomware attack could wipe out the business in the next 12-18 months if they don’t increase investment in security.

But what is driving the rise in ransomware attacks? Some suggest it’s because more people are working from home — which makes them an easier target outside of the corporate firewall. The truth might however be tied to money.

59% of CISOs/CIOs and 50% of infosec professionals believe that the business they work for would pay the ransom in order to prevent its data/information from being published — making ransomware a potential cash cow.

A step change in communication is in high demand

Cyberwarfare and ransomware are complex topics to unpack, amongst many others in infosec. The inherent complexity of infosec topics does however make it hard to gain internal investment and support for projects. This is why infosec professionals believe a change is needed.

In fact, 51% of infosec professionals agree that in order to increase investment in cybersecurity, the way that they communicate about security has to change dramatically. This number jumps up to 55% amongst CISOs and CIOs — many of whom have a seat at the most senior decision-making table in their organizations.

The question is, what changes need to be made? 41% of infosec professionals believe that in the future more communication with the wider public and customers is needed so everyone, both in and organization and outside, better understands the risks.

In addition, 38% point out that there is a need for the facilitation of better communication with the C-suite, especially when it comes to understanding the wider business risks.

And last, but not least, as much as 31% of infosec professionals believe using less technical language would help the industry communicate better, so that the whole organization could understand the risks and how to stay protected.

“The reason that 63% of infosec professionals believe that cyberwarfare is a threat to their organization is easy,” said Neeraj Suri, Distinguished Professorship and Chair in Cybersecurity at Lancaster University.

“Dependency on technology is at an all-time high and if someone was to take out the WiFi in a home or office, no one would be able to do anything. This dependency wasn’t there a few years back–it wasn’t even as high a few months back.

“This high dependency on technology doesn’t just open the door for ransomware or IoT threats on an individual level, but also to cyberwarfare which can be so catastrophic it can ruin economies.

“The reason that nearly a quarter of infosec pros don’t currently have a strategy to protect against cyberwarfare is likely because of complacency. Since they haven’t suffered an attack or haven’t seen on a wide scale–the damage that can be done–they haven’t invested the time in protecting against it.”

Diversity, and specifically neurodiversity, is key to future success

Outside of the drastic changes that are needed in the way cybersecurity professionals communicate, there’s also a need to make a change within the very makeup of the workforce. The infosec industry as a whole has long suffered from a skills shortage, and this looks to remain an ongoing and increasingly obvious issue.

15% of infosec professionals believe that the biggest development in cybersecurity over the next 12-18 months will be the skills gap increasing. If the skills deficit continues for another five years, 28% of CISOs and CIOs say they believe that it will destroy businesses.

And another 50% of infosec professionals believe that the skills gap will be seriously disruptive if it continues for the next 5 years.

Today, however, it will take more than just recruiting skilled workers to make a positive change and protect organizations. In 2015, 52% of infosec workers would have agreed that there is a lack of diversity in cybersecurity and that it’s a concern.

Five years later, in 2020, this remains exactly the same — and that is a significant problem as 40% of CISOs/CIOs and infosec professionals say that the cybersecurity industry should reflect the society around it to be effective.

What’s more, 76% of CISOs/CIOs, and 72% of infosec professionals, believe that there is a need for a more diverse skill set among those tackling cybersecurity tasks. This is because 38% of infosec professionals say that neurodiversity will make cybersecurity defenses stronger, and 33% revealed a more neurodiverse workforce will level the playing field against bad actors.

While it’s clear that the cybersecurity skills gap is here to stay, it’s also clear why changes need to be made to the makeup of the industry.

cyberwarfare

Liviu Arsene, Global Cybersecurity Researcher at Bitdefender concludes, “2020 has been a year of change, not only for the world at large, but for the security industry. The security landscape is rapidly evolving as it tries to adapt to the new normal, from distributed workforces to new threats. Amongst the new threats is cyberwarfare.

“It’s of great concern to businesses and the economy — and yet not everyone is prepared for it. At the same time, infosec professionals have had to keep up with new threats from an old source, ransomware, that can affect companies’ bottom lines if not handled carefully.

“The one thing we know is that the security landscape will continue to evolve. Changes will happen, but we can now make sure they happen for better and not for worse. To succeed in the new security landscape, the way we as an industry talk about security has to become more accessible to a wider audience to gain support and investment from within the business.

“In addition, we have to start thinking about plugging the skills gap in a different way — we have to focus on diversity, and specifically neurodiversity, if we are to stand our ground and ultimately defeat bad actors.”

DaaS, BYOD, leasing and buying: Which is better for cybersecurity?

In the digital age, staff expect employers to provide hardware, and companies need hardware that allows employees to work efficiently and securely. There are already a number of models to choose from to purchase and manage hardware, however, with remote work policies becoming more popular, enterprises have to prioritize cybersecurity when making their selection.

Daas BYOD

The COVID-19 pandemic and online shift has brought to light the need for robust cybersecurity strategies and technology that facilitates safe practices. Since the pandemic started, the FBI has reported a 300 percent increase in cybercrime. As more businesses are forced to operate at a distance, hackers are taking advantage of weak links in their networks. At the same time, the crisis has meant many enterprises have had to cut their budgets, and so risk compromising cybersecurity when opting for more cost-effective measures.

Currently, Device-as-Service (DaaS), Bring-Your-Own-Device (BYOD) and leasing/buying are some of the most popular hardware options. To determine which is most appropriate for your business cybersecurity needs, here are the pros and cons of each:

Device-as-a-Service (DaaS)

DaaS models are when an organization distributes hardware like computers, tablets, and phones to employees with preconfigured and customized services and software. For many enterprises, DaaS is attractive because it allows them to acquire technology without having to outright buy, set up, and manage it – therefore saving time and money in the long run. Because of DaaS’s growing popularity, 65 percent of major PC manufacturers now offer DaaS capabilities, including Apple and HP.

When it comes to cybersecurity, DaaS is favorable because providers are typically experts in the field. In the configuration phase, they are responsible for ensuring that all devices have the latest security protections installed as standard, and they are also responsible for maintaining such protections. Once the hardware is in use, DaaS models allow providers to monitor the company’s entire fleet – checking that all devices adhere to security policies, including protocols around passwords, approved apps, and accessing sensitive data.

Another bonus is that DaaS can offer analytical insights about hardware, such as device location and condition. With this information, enterprises can be alerted if tech is stolen, missing or outdated and a threat to overall cybersecurity. Not to mention, a smart way to boost the level of protection given by DaaS models is to integrate it with Unified Endpoint Management (UEM). UEM helps businesses organize and control internet-enabled devices from a single interface and uses mobile threat detection to identify and thwart vulnerabilities or attacks among devices.

Nonetheless, to effectively utilize DaaS, enterprises have to determine their own relevant security principles before adopting the model. They then need to have an in-depth understanding of how these principles are applied throughout DaaS services and how the level of assurance enacts them. Assuming that DaaS completely removes enterprises from being involved in device cybersecurity would be unwise.

Bring-Your-Own-Device (BYOD)

BYOD is when employees use their own mobile, laptops, PCs, and tablets for work. In this scenario, companies have greater flexibility and can make significant cost savings, but, there are many more risks associated with personal devices compared to corporate-issued devices. Although BYOD is favorable among employees – who can use devices that they are more familiar with – enterprises essentially lose control and visibility of how data is transmitted, stored, and processed.

Personal devices are dangerous because hackers can create a sense of trust via personal apps on the hardware and more easily coerce users into sharing business details or download malicious content. Plus, with BYOD, companies are dependent on employees keeping all their personal devices updated with the most current protective services. One employee forgetting to do so could negate the cybersecurity for the overall network.

Similar to DaaS, UEM can also help companies that have adopted BYOD take a more centralized approach to manage the risk of exposing their data to malicious actors. For example, UEM can block websites or content from personal devices, as well as implement passcodes, and device and disk encryption. Alternatively, VPNs are common to enhance cybersecurity in companies that allow BYOD. In the COVID-19 pandemic, 68 percent of employees claim their company has expanded VPN usage as a direct result of the crisis. It’s worthwhile noting though, that VPNs only encrypt data accessed via the internet and cloud-based services.

When moving forward with BYOD models, enterprises must host regular training and education sessions around safe practices on devices, including recognizing threats, avoiding harmful websites, and the importance of upgrading. They also need to have documented and tested computer security incident response plans, so if any attacks do occur, they are contained as soon as possible.

Leasing / buying

Leasing hardware is when enterprises obtain equipment on a rental basis, in order to retain working capital that can be invested in other areas. In the past, as many as 80 percent of businesses chose to lease their hardware. The trend is less popular today, as SaaS products have proven to be more tailored and scalable.

Still, leasing is beneficial because rather than jeopardizing cybersecurity to purchase large volumes of hardware, enterprises can rent fully covered devices. Likewise, because the latest software typically requires the latest hardware, companies can rent the most recent tech at a fraction of the retail cost.

Comparable to DaaS providers, leasing companies are responsible for device maintenance and have to ensure that every laptop, phone, and tablet has the appropriate security software. Again, however, this does not absolve enterprises from taking an active role in cybersecurity implementation and surveillance.

Unlike leasing, where there can be uncertainty over who owns the cybersecurity strategy, buying is more straightforward. Purchasing hardware outright means companies have complete control over devices and can cherry-pick cybersecurity features to include. It also means they can be more flexible with cybersecurity partners, running trials with different solutions to evaluate which is the best fit.

That said, buying hardware has a noticeable downside where equipment becomes obsolete once new versions are released. 73 percent of senior leaders from enterprises actually agree that an abundance of outdated equipment leaves companies vulnerable to data security breaches. Considering that, on average, a product cycle takes only 12 to 24 months, and there are thousands of hardware manufacturers at work, devices can swiftly become outdated.

Additionally, because buying is a more permanent action, enterprises run the risk of being stuck with hardware that has been compromised. As opposed to software which can be relatively easily patched to fix, hardware often has to be sent off-site for repairs. This may result in enterprises with limited hardware continuing to use damaged or unprotected devices to avoid downtime in workflows.

If and when a company does decide to dispose of hardware, there are complications around guaranteeing that systems are totally blocked and databases or networks cannot be accessed afterwards. In contrast, providers from DaaS and leasing models expertly wipe devices at the end of contracts or when disposing of them, so enterprises don’t have to be concerned about unauthorized access.

Putting cybersecurity front-and-center

DaaS, BYOD, and leasing/buying all have their own unique benefits when it comes to cybersecurity. Despite all the perks, it has to be acknowledged that BYOD and leasing pose the biggest obstacles for enterprises because they take cybersecurity monitoring and control out of companies’ hands. Nevertheless, for all the options mentioned, UEM is a valuable way to bridge gaps and empower businesses to be in control of cybersecurity, while still being agile.

Ultimately, the most impactful cybersecurity measures are the ones that enterprises are firmly vested in, whatever hardware model they adopt. Businesses should never underestimate the power of a transparent, well-researched, and constantly evolving security framework – one which a hardware model complements, not solely creates.

Internet Impact Assessment Toolkit: Protect the core that underpins the Internet

The Internet Society has launched the first-ever regulatory assessment toolkit that defines the critical properties needed to protect and enhance the future of the Internet.

Internet Impact Assessment Toolkit

The Internet Impact Assessment Toolkit is a guide to help ensure regulation, technology trends and decisions don’t harm the infrastructure of the Internet. It describes the Internet at its optimal state – a network of networks that is universally accessible, decentralized and open; facilitating the free and efficient flow of knowledge, ideas and information.

Critical properties of the Internet Impact Assessment Toolkit

The five critical properties identified by the IWN are:

  • An accessible infrastructure with a common protocol – A ‘common language’ enabling global connectivity and unrestricted access to the Internet.
  • An open architecture of interoperable and reusable building blocks – Open infrastructure with a set of standards enabling permission-free innovation.
  • Decentralized management and a single distributed routing system – Distributed routing enabling local networks to grow, while maintaining worldwide connectivity.
  • Common global identifiers – A single common identifier allowing computers and devices around the world to communicate with each other.
  • A technology neutral, general-purpose network – A simple and adaptable dynamic environment cultivating infinite opportunities for innovation.

When combined, these properties form the unique foundation that underpins the Internet’s success and are essential for its healthy evolution. The closer the Internet aligns with the IWN, the more open and agile it is for future innovation and the broader benefits of collaboration, resiliency, global reach and economic growth.

“The Internet’s ability to support the world through a global pandemic is an example of the Internet Way of Networking at its finest,” explains Joseph Lorenzo Hall, Senior VP for a Strong Internet, Internet Society. “Governments didn’t need to do anything to facilitate this massive global pivot in how humanity works, learns and socializes. The Internet just works – and it works thanks to the principles that underpin its success.”

A resource for policymakers and technologists

The Internet Impact Assessment Toolkit will serve as an important resource to help policymakers and technologists ensure trends in regulatory and technical proposals don’t harm the unique architecture of the Internet. The toolkit explains why each property of the IWN is crucial to the Internet and the social and economic consequences that can arise when any of these properties are damaged.

For instance, the Toolkit shows how China’s restrictive networking model severely impacts its global reach and hinders collaboration with networks beyond its borders. It also highlights how the US administration’s Clean Network proposal challenges the Internet’s architecture by dictating how networks interconnect according to political considerations rather than technical considerations.

“We’re seeing a trend of governments encroaching on parts of the Internet’s infrastructure to try and solve social and political problems through technical means. Ill-informed regulation can drastically alter the Internet’s fundamental architecture and harm the ecosystem that supports it,” continues Hall. “We’re giving both policymakers and Internet users the information and tools to make sure they don’t break this resource that brings connectivity, innovation, and empowerment to everyone.”

Plan for change but don’t leave security behind

COVID-19 has upended the way we do all things. In this interview, Mike Bursell, Chief Security Architect at Red Hat, shares his view of which IT security changes are ongoing and which changes enterprises should prepare for in the coming months and years.

plan security

How has the pandemic affected enterprise edge computing strategies? Has the massive shift to remote work created problems when it comes to scaling hybrid cloud environments?

The pandemic has caused major shifts in the ways we live and work, from video calls to increased use of streaming services, forcing businesses to embrace new ways to be flexible, scalable, efficient and cost-saving. It has also exposed weaknesses in the network architectures that underpin many companies, as they struggle to cope with remote working and increased traffic. We’re therefore seeing both an accelerated shift to edge computing, which takes place at or near the physical location of either the end-user or the data source, and further interest in hybrid cloud strategies which don’t require as much on-site staff time.

Changing your processes to make the most of this without damaging your security posture requires thought and, frankly, new policies and procedures. Get your legal and risk teams involved – but don’t forget your HR department. HR has a definite role to play in allowing your key employees to continue to do the job you need them to do, but in ways that are consonant with the new world we’re living in.

However, don’t assume that these will be – or should be! – short-term changes. If you can find more efficient or effective ways of managing your infrastructure, without compromising your risk profile while also satisfying new staff expectations, then everyone wins.

What would you say are the most significant challenges for enterprises that want to build secure and future-proof application infrastructures?

One challenge is that although some of the technology is now quite mature, the processes for managing it aren’t, yet. And by that I don’t just mean technical processes, but how you arrange your teams and culture to suit new ways of managing, deploying, and (critically) automating your infrastructure. Add to this new technologies such as confidential computing (using Trusted Execution Environments to protect data in use), and there is still a lot of change.

The best advice is to plan for change – technical, process and culture – but do not, whatever you do, leave security till last. It has to be front and centre of any plans you make. One concrete change that you can make immediately is taking your security people off just “fire-fighting duty”, where they have to react to crises as they come in: businesses can consider how to use them in a more proactive way.

People don’t scale, and there’s a global shortage of security experts. So, you need to use the ones that you have as effectively as you can, and, crucially, give them interesting work to do, if you plan to retain them. It’s almost guaranteed that there are ways to extend their security expertise into processes and automation which will benefit your broader teams. At the same time, you can allow those experts to start preparing for new issues that will arise, and investigating new technologies and methodologies which they can then reapply to business processes as they mature.

How has cloud-native management evolved in the last few years and what are the current security stumbling blocks?

One of the areas of both maturity and immaturity is in terms of workload isolation. We can think of three types: workload from workload isolation (preventing workloads from interfering with each other – type 1); host from workload isolation (preventing workloads from interfering with the host – type 2); workload from host isolation (preventing hosts from interfering with workloads – type 3).

The technologies for types 1 and 2 are really quite mature now, with containers and virtual machines combining a variety of hardware and software techniques such virtualization, cgroups and SELinux. On the other hand, protecting workloads from malicious or compromised hosts is much more difficult, meaning that regulators – and sensible enterprises! – are unwilling to have some workloads execute in the public cloud.

Technologies like secure and measured boot, combined with TPM capabilities by projects such as Keylime (which is fully open source) are beginning to address this, and we can expect major improvement as confidential computing (and open source projects like Enarx which uses TEEs) matures.

In the past few years, we’ve seen a huge interest in Kubernetes deployments. What common mistakes are organizations making along the way? How can they be addressed?

One of the main mistakes we see businesses make is attempting to deploy Kubernetes without the appropriate level of in house expertise. Kubernetes is an ecosystem, rather than a one-off executable, that relies on other services provided by open source projects. It requires IT teams to fully understand the architecture that is made up of applications and network layers.

Once implemented, businesses must also maintain the ecosystem in parallel to any software running on top. When it comes to implementation, businesses are advised to follow open standards – those decided upon by the open source Kubernetes community as a whole, rather than a specific vendor. This will prevent teams from running into unexpected roadblocks, and helps to ensure a smooth learning curve for new team members.

Another mistake organizations can make is ignoring small but important details, like the backwards compatibility of Kubernetes with older versions is very important. It’s easy to overlook the fact that these may not have important security updates that can transfer, so IT teams must be mindful when merging code across versions, and check regularly for available updates.

Open source remains one of the building blocks of enterprise IT. What’s your take on the future of open source code in large business networks?

Open source is here to stay, and that’s a good thing, not least for security. The more security experts there are to look at code, the more likely that bugs will be found and fixed. Of course, security experts are short on the ground, and busy, so it’s important that large enterprises make a commitment to getting involved with open source and committing resources to it.

Another issue that people also get confused by thinking that just because a project is open source, it’s ready to use. There’s a difference between an open source project and an enterprise product which is based on that project. In the latter case, you get all the benefits of testing, patching, upgrading, vulnerability processes, version management and support. In the former case, you need to manage everything yourself – including ensuring that you have sufficient expertise in house to cope with any issues that come up.

Developing a plan for remote work security? Here are 6 key considerations

With so many organizations switching to a work-from-home model, many are finding security to be increasingly more difficult to administer and maintain. There is an influx of vulnerable points distributed across more locations than ever before, as remote workers strive to maintain their productivity. The result? Security teams everywhere are being stretched.

plan remote work security

The Third Global Threat Report from VMware Carbon Black also found little confidence among respondents that the rollout to remote working had been done securely. The study took a deep dive into the effects COVID-19 had on the security of remote working, with 91% of executives stating that working from home has led to a rise in attacks.

Are you making sure your security professionals are up to the task of remote working while security threats are on the rise?

1. Maintain consistency

One way to help mitigate risk is to have your developers and security professionals train at a consistent level so they are all on the same page. Knowing that there is some sort of security architecture at play in your organization and understanding the logistics of how to stress test aspects of that structure will make it easier to prepare for and block attacks.

2. Don’t overlook the details

Training needs to address all aspects of your structure, specifically: information security, data security, cybersecurity, computer security, physical security, IoT security, cloud security, and individual security. Each area of an architecture needs to be tested and hardened regularly for your organization to truly be shielded from security breaches. Be specific about your program: train your staff on how to defend your information around your HR records (SSNs, PII, etc.) and data that could be exposed (shopping cart, customer card numbers), as well as in cyber defense to provide tools against nefarious actors, breaches and threats.

3. Think about the individual

Staff must be trained to know how to lock down computers, so individual machines and network servers are safe. This training should also encompass how to ensure physical security, to protect your storage or physical assets. This comes into play more as the IoT plays a larger role in connecting our devices and BYOD policies allow for more connections to be made between personal and corporate assets. Individual security: each employee is entitled to be secure in their work for a company, and that includes privacy concerns and compliance issues.

4. Keep your head in the cloud

Today, most companies have some sort of cloud presence and security professionals will need to be trained to constantly check the interfaces to cloud and any hybrid on-prem and off-prem instances you have.

5. Invest in learning

With constantly changing layers of architecture and amplified room for breaches as a result of remote working, it’s hard to imagine how security professionals stay ahead of all the changes. One thing that keeps teams on top of their game is professional online learning.

During the COVID-19 shelter-in-place mandate, leading eLearning companies have witnessed a massive increase in hours of security content consumed. For some, security is one of the fastest-growing topic areas which suggests that this year, security is more important. This is likely because of the number of workers who have gone remote and challenges that brings to an organization, particularly in the security department.

6. Consider role-based training

While it’s important to equip teams with skills that apply across function, there is a case to be made for investing in experts. Cybersecurity is not a field where there is a linear path of growth. There are different journeys individuals can take to venture into paths to transition from a vulnerability analyst to a security architect. By looking at individuals within the organization to seek ways to upskill and take on new roles and responsibilities, you have the unique benefit of being able to help them curate roles that fit the needs of the organizations.

It’s not often that a business has a dedicated Remote Team Security Lead, because there was rarely a need for one. Considering the quick transition to remote work and possibility that this is the new normal, organizations can benefit by investing in specific training curated to meet the security needs of remote teams. If this role is cultivated within the organization, there is the added benefit of knowing that the lessons being taught provide direct relevancy to specific needs and increase the attractiveness of investing time and effort into skills training.

Training can be the key to preparing security professionals for the unexpected. But there is no one-size-fits-all lesson that can be delivered or an evergreen degree that can keep up with an industry that changes every day. Training needs to be always on the agenda and it needs to be developed in a way that offers different modalities of learning.

Regardless of how the individual best learns, criterion-based assessments can measure knowledge/skills and act as a guide to true, lasting learning. Developing a culture committed to agility and learning is the key to embracing change.

A 2020 approach to security: People matter

The information security industry frequently utilizes the phrase “people, processes and technology” (PPT) to describe a holistic model of securing the business.

But though this phrase is repeated ad nauseum, we seem to have forgotten one of those three primary pillars: people.

In an effort to secure things technically, we prioritize the protection of our processes and technology, while ignoring a critical element to both the success and security of organizations. While it is common sense to prioritize humans – our first line of defense against cyberattacks – too often we only focus on processes and technology, leaving a significant part of our environment dangerously exposed.

Forgetting the people of the PPT approach is like operating a car without airbags. Perhaps you cannot physically see the hazardous gap, but the drive will be incredibly unsafe.

How do we mitigate this gap? By recognizing that people matter. In the information security domain, we place extensive premiums on the focus of the technical, which leads us to neglect humanism, soft skills and the human capital of the business.

Avoid disempowering your staff

Security professionals often describe humans within the cybersecurity space as the weakest link of the system. Security staff often use this phrase to describe everyone but themselves, which does little to enable trust between internal teams or to encourage collaboration among cross-functional groups. In addition, it cultivates an “us versus them” mentality, which is damaging to professional relationships and the success of our information security programs.

Even if people are the element most susceptible to phishing attempts, or the link most likely to be negligent in security practices, it becomes incredibly difficult to foster a culture of security awareness if we demoralize or denigrate the individuals we need to help drive our security priorities.

How does a security team avoid disempowering fellow employees? The solution is quite simple: be aware of the words and phrases you use to describe the people of the PPT model. Develop trust by utilizing positive language during communication and approaching all staff with respect when informing them that security is the responsibility of all employees. You will more effectively keep the attention of staff when you demonstrate that you respect them and indicate that you view them as a primary element of keeping the organization secure.

Steer clear of “My way or the highway!”

The stress of constant security incidents and continuous fear of potential data breaches lead many security teams to operate with a rigid, iron-fist management approach. Instead of allowing security to better enable the business, ideas and programs are forced through and collaboration is thrown by the wayside in the name of making our environments more secure.

While this certainly does not make us popular within the workplace, it also contributes to a lack of trust between security and other business functions. Trust is critical to the success of our security paradigm, which means we must take every opportunity possible to ensure that security enables the business. Without trust, the people of our businesses will not follow our security policies, report suspicious activity, or see cybersecurity in the organization as something they are directly responsible for.

Is it possible for security teams to operate in a flexible, and collaborative manner that guarantees the advancement of the security program, while simultaneously not hindering the day to day work of other staff?

Most definitely. And the solution, like the above, is free, and requires no processes or technology. Be open to opposing opinions regarding the implementation of your security project or program. Approach others cooperatively on how the integration of a new security tool or application should be managed. Asking others, candidly, if there is a “better” way to address a security problem is a wonderfully collaborative way to engage within a culture of teamwork.

Those outside the security team may have ingenious approaches to fixing security problems that we may never have thought of – solutions that both mitigate the security issue and don’t hinder the day-to-day work of employees. Acknowledging the skills and expertise of other non-security teams allows us to discover more innovative ways of approaching a security problem.

Continue to implement technical controls but consider implementing another element into your governance model: people matter. This value, though it sounds simple, is an effective way to not only manage security risk at an acceptable level, but also to ensure that we cultivate our security models holistically.