With high profile breaches for the likes of Facebook, British Airways and Marriott fresh in the mind, it’s no surprise to see a backlash against the companies that hold our data and a new impetus to take back control. But how are CIOs tackling the information security challenge, and what do we expect the future to hold?
Assessing the threat
According to more than 840 CIOs that we interviewed for the sixth edition of the annual Logicalis Global CIO Survey, the role of the CIO is in flux. A traditional focus on “keeping the lights on” has seemingly given way to more strategic activities around service and product innovation as organisations take to the cloud and expand their IT estate. Despite all this, security continues to dominate CIO’s time and attention, with 93% saying that they devote between 10% and 50% of their time to information security – with 54% spending at least 30% of their time on it.
CIOs are right to remain vigilant, as all evidence points to the fact that threats are definitely increasing. We’re seeing no sign that external threats such as malware, ransomware, crypto-jacking and phishing are going anywhere, especially because it’s become even easier for the bad guys to launch these type of attacks. They’re low cost and have the potential to reach either massive or highly targeted audiences.
One trend that has emerged from the survey is that CIOs are now far more focused on the human dimension of cyber risk than before. Whilst the 2017 report cited external threats as the clear focus, this year’s findings saw lack of staff awareness and mistakes as a concern for more than half (56%) of CIOs, while 39% are concerned about malicious insiders. The human dimension is interesting, and we’d certainly say that people and process should always be the place to start. This attitude doesn’t particularly bear out in what we’ve seen before, however, as technology tends to take precedence over training.
The expansion of the IT footprint and the ever evolving threat landscape have clear implications for security, and most CIOs signal that they are moving away from a purely defensive footing to one of cyber resilience, which brings together defence with detection and recovery. More than a third (37%) of CIOs say their organisation now adopts a resilience-based information security footing. This stance will be aided by some element of automation within the process, as the rate at which threats are accelerating is outpacing our ability to develop skills. AI represents an opportunity to keep pace, particularly when it comes to threat detection and response. We’d expect developments in this area to focus on the ‘response’ part of this process, although it will require something of a cultural leap to allow technology to make decisions for us.
The value of data
Data breaches were cited as a concern by 54% of CIOs, demonstrating how CIOs are attuned to the broader debate around data privacy and management. Despite measures introduced this year, it’s still very difficult to understand and manage data permissions, for both consumers and the businesses that own their data, and there’s a lot more that needs to be done to clean up the ethics around this.
According to our CIO sample, the impact of GDPR has fallen far short of the dire predictions with nearly three quarters (71%) saying that GDPR passing into law has had no impact on their organisation at all. Based on what we heard from customers, GDPR was significantly overplayed and organisations became apathetic long before the May deadline. Faced by business trying to sell them solutions to address their GDPR requirements, a lack of understanding of what their liability was and a misconception that they were too small to be significant, fed-up businesses appear to have opted for a view that “we only need to be as good as our neighbour”.
It would be wrong to suggest that GDPR in, and of itself, had no effect. Rather that most organisations did a great job of implementation, as those with longer memories will recall from Y2K. The Logicalis Global CIO Survey also assessed the cost of GDPR compliance and, again, the reality fell well short of the hype. Though the average investment of up to £25,000 is not insignificant, it suggests that the process was well and efficiently handled.
So what happens now?
Even though the fines for non-compliance are considerable, we’d expect the biggest financial impact in a post GDPR world to be seen in class-action lawsuits arising as a result of data breaches. The huge numbers of customers affected by these large data breaches make this inevitable. But this also has the potential to be hijacked by ‘ambulance-chasers’, and our survey found that 6% of CIOs have already been targeted by opportunists seeking to profit from non-compliance. So expect those PPI and whiplash calls on your phone to be replaced by an automated voice asking about the data breach that compromised your personal information.
We’re certainly at the point now where data breaches should be viewed as ‘when’ and not ‘if’. We’d expect organisations to be increasingly turning to encryption as a way to minimise the impact when a breach does happen, a trend that has been slow to date because of the costs associated. Perhaps the threat of users removing their personal data, and a greater understanding of its value to the business world will be the catalyst this needs.