Today’s organizations aspire to solve cybersecurity problems but aren’t necessarily equipped to do so. Deloitte’s 2019 Future of Cyber survey found that gaps in their abilities to meet future cybersecurity demands exist.
At issue is that cyber risk, data protection and data loss continue to expand and broaden as organizations become more dependent on technology — and organizations aren’t always planning for that, says Emily Mossburg, principal and advisory and implementation services leader for Deloitte Cyber. “Cyber isn’t related to any one specific thing,” she says. As increasing numbers of connected devices, services and products are sharing data across different platforms, the data elements, requirements and considerations associated with cyber risk become part of an organization’s every decision, platform and business initiative, she says.
“It’s become very unwieldy in that cyber is everywhere,” Mossburg says. “Organizations may be prepared and managing cyber risk well in certain areas and environments and with certain data, but are they prepared from a resourcing, prioritization, budgeting or people standpoint to be able to handle it everywhere?”
Also at issue is that cybersecurity is being considered late in an organization’s digital transformation efforts, which are considered a catalyst for enterprise as well as cyber agenda change, Mossburg says. “From a digital-transformation perspective, organizations are tackling a whole host of different things,” she says. “And the data shows they are tackling them at the same time. When we asked organizations to rank their top transformation initiatives, there was no clear front-runner.”
The survey queried 500 C-suite executives responsible for cybersecurity about such challenges as leading digital transformation from legacy environments, disconnected data sources, identity systems and governance issues. Among the survey findings: many cyber organizations are challenged most by data management complexities (16 percent), followed by better prioritization of cyber risk across the enterprise and rapid IT changes, each at 15 percent.
Thirteen percent said a lack of adequate funding was the biggest challenge. Cyber spend is small relative to other areas of digital transformation efforts: “Less than 10 percent of the respondents spent 10 percent or more of their cyber budget on aligning against digital transformation initiatives,” Mossburg says.
So, how will organizations become ready for a world where cyber is everywhere if they’re not prioritizing their budget to be in alignment with the things driving strategic business initiatives and change?
Organizations might have to change their focus, Mossburg says: For instance, some might be still building their cyber program and so haven’t prioritized or directed more spend to transformation. Or they could have a narrow focus and “are still focused on a more insular enterprise IT, security and cyber program — instead of considering that they need to be more aligned to the business’s strategies, initiatives and innovations,” she says. Others are still dealing with the newness of digital transformation initiatives.
Cyber is also a relatively new focus for many organizations when compared to other enterprise functions, notes Mossburg, who herself started working in the cyber space in 2000. At that time, she says, few of her clients had a chief information security officer (CISO) but might have had a manager or senior manager within IT who had some level of responsibility for security.
“They were focused on development of basic security policies, which wasn’t a standard practice at that point,” she says. “Such programs were so new that organizations didn’t have a policy, guidelines, or practices and procedures around security. Quite frankly, at that time, implementing security pertained to: How do we put, for an analogy, a lock on our door so that people in the broader internet must have a key to get in?”
She continues: “There wasn’t a recognition of what the risk was. In many cases, the conversation was around whether this was even a problem. Will anyone really want to get into my system and access my information? Is this really something I should be concerned about? If I’m going to spend this money, am I sure that there is a reason to do so?”
Fast forwarding to 2019, the concept around cybersecurity and protection of information is core to what many executives are focused on, Mossberg says: It’s among the top 10 risks of almost every enterprise she works with.
“There has been a huge amount of maturity in the last 20 years — but 20 years in the course of broad business is relatively a short period of time,” Mossberg says. “So, we still have quite a bit of maturing and changing to do in this space.”
Eventually, cybersecurity and cyber-risk management will become a standard part of business, she says: “We’re just not there yet regarding what that standard looks like as it relates to integration across the entire organization.”