By: Baan Alsinawi, Managing Director at Cerberus Sentinel and the founder of TalaTek
EMA Study – Risk Management Initiatives
I recently finished reviewing the Cerberus-co-sponsored research study, Using Compliance Budget to Advance Security Priorities, from industry analyst firm Enterprise Management Associates (EMA) that included input and feedback from more than 200 tech and business leaders from across 10 industries. It’s a fascinating study that is worth a close read (you can download it here). From my perspective of nearly 20 years in the cybersecurity field with a focus on governance, risk and compliance, I think the key takeaway is this: Businesses are increasingly required to spend on compliance due to regulatory demands, and they will use that budget to further their risk management/security implementations. As a result, it is far better that security and compliance go hand-in-hand and are complementary rather than being competing priorities. This will go a long way toward reducing an organization’s cyber risk and improving its security posture.
Digging into the study, I found several interesting trends. The survey showed that 89 percent of the respondents said their information security and IT compliance priorities were generally aligned. This a remarkable shift, and it confirms what we are already seeing in the marketplace. It’s a good thing, too, because 76 percent indicated that compliance has completely or significantly shifted their security strategy.
This shift points to a new willingness to reduce internal silos that have traditionally kept IT, cybersecurity, and compliance relatively separate from one another. As an industry expert, I can say that this has been a systemic challenge over the years, so the shift is a welcome change. This is not a stopping place, as much work needs to be done to create an environment where compliance, cybersecurity, and IT are in complete alignment as business-enabling functions in most organization. However, it is a milestone to watch in the coming years.
In addition to citing greater alignment of information security and IT compliance, those surveyed indicated challenges in navigating different framework requirements/compliance controls that constantly change, sometimes forcing them to mitigate conflicting standards and requirements.
Other notable trends highlighted in this study:
- Data security and protection is an overarching concern. Nearly 60 percent of respondents said that data security/privacy regulations have impacted their company’s security approach. This was also the top spending priority, with more than half saying they make significant investments in data security/privacy management and data loss prevention.
- Multiple IT environments. There appears to be a sizable shift in companies moving from legacy enterprise architecture to a hybrid mix of Cloud and legacy. Maintaining security in the Cloud is complex, which leads to another issue . . .
- Lack of skilled and knowledgeable resources/talent. Having more skilled cybersecurity resources ranked second in how organizations could improve their cybersecurity, and the lack of skilled staff ranked fourth in what respondents listed as their greatest security problem. This is an especially interesting trend, given that in the vast majority of organizations, corporate staff perform IT audit/compliance functions.
- Lack of unified cybersecurity culture across the organization. A significant percentage of respondents said they needed to improve their organization’s cybersecurity culture and understanding of cyber impacts. They also indicated they felt the need for a unified cybersecurity strategy across their organization. Although the study indicates a willingness to reduce silos, as evidenced in greater alignment of information security and IT compliance, this shift has not yet been fully realized at the organizational level. Many indicated that they still struggle with organizational silos, exacerbated by a lack of interorganizational cooperation and shared resources. Respondents also said they lacked executive management buy-in and support, face internal roadblocks for cybersecurity initiatives, or did not have an executive voice dedicated to cybersecurity.
- Third-party management. More than 70 percent said that their organization had made or planned to make significant investment in vendor-management solutions.
In summary, the study shows the first major sign of progress the industry has seen in more than a decade for reducing internal silos that plague and limit the effectiveness of the vast majority of cybersecurity and compliance programs, but there is much work to be done. The sooner organizations can flesh out this movement internally, unifying cybersecurity, compliance, and IT efforts in alignment with their business goals, the sooner they can place security at the center of their businesses. The end result is an environment that is secure, compliant, efficient, and sleek – able to make rapid progress and keep up with business needs.
With our deep bench of managed compliance and security expertise, Cerberus is well poised to help organizations meet these challenges. We can speed up your journey to cyber resilience with services designed to reduce internal silos and maximize efficiency, including assessment, planning, implementation and maintenance of your cybersecurity and compliance programs. So, whether you need a risk assessment, gap analysis, audit, remediation, security monitoring, ongoing risk management or training, we can help. Cerberus can also meet organization’s needs for a skilled and experienced staff to fill the resource gap so many respondents said they are facing. Talk to us; we’re problem solvers.
Contact us to discuss your security needs and discover more about how Cerberus Sentinel can help you improve your security posture.