At the start of this year, I was talking to a CEO buddy of mine who, becoming a bit more mindful over the years of IT security issues that could impact his mid-sized business, was trying to suss out any impending issues that might arise from this seeming rise in data breaches. At that time, the Sony incident was still getting a ton of press so this attack, in particular, was top of his mind.
He voiced his expectations that because of this compromise and many other high-profile attacks that took place last year – from Target to Home Depot – organizations were going to be spending a hell of a lot more money on security. He wondered if industry folks I deal with were seeing this and if more executives like him were trying to get a grip on their cybersecurity needs.
The interesting thing about this conversation, though, is that when I asked him just how much he was upping the coffers for IT security-related expenditures in his own company, he faltered. You see, although he definitely was much more aware of the ever-increasing possibilities of his company becoming victimized by cybercriminals, the budgets tied specifically to security projects he approved for the year were pretty much flat.
"What typically are considered some pretty standard security investments in various processes and the technologies and pros to support them, still frequently get delayed by CEOs and their boards of directors."
So, while he seemed to think data breaches might be forcing companies to spend a bit more on security, he himself was far from considering the reallocation of funds he had dedicated to other parts of the business to IT security initiatives. All the while, having taken strides to better educate himself about aspects of IT security and the ways in which cybercriminals gain entree to organizations' infrastructures, he did admit that his company could definitely strengthen its stance on a number of fronts. His CEO's mind was having trouble accounting for the real and major security requirements, among all those other priorities, that might need more attention.
To his credit, after a couple more beers and lively banter, he began thinking that a revisit to some of those other IT security projects he shelved – that his IT security staff thought were more essential to keeping the company up-to-date and safe – might be in order. So there is that.
But, he's not the only CEO who, while acknowledging how crucial a role information security is now to an organization's longevity and success, also puts off spending more on it. What typically are considered some pretty standard – and perhaps expected – security investments in various processes and the technologies and pros to support them, still frequently get delayed by CEOs and their boards of directors. The thinking still seems to be that if the basics are in place and we're at least meeting the requirements of this regulation or that industry mandate, then we're good to go for now.
No matter how much press cyber attacks get, with last year becoming the year of retail data breaches and this one maybe turning into the year of assaults on health care entities, not much is changing at the executive level. Sure, we've made some inroads. Investments have happened, budgets are there for IT security. Yet, because there still seems to be some nervousness about the economy and a laser-sharp focus – probably rightly so – on driving money-making business initiatives forward, expenditures on things like security are more in line with nice-to-haves, like public relations and marketing operations, as opposed to need-to-haves, like human relations and accounting functions.
Meanwhile, though, I'm having more and more of these conversations and they all seem to convey the same thing – that leaders like my CEO buddy and corporate boards expect the company's IT security posture to be stalwart enough to thwart attackers. They surely don't want to be the next Sony, the next Anthem. Yet, they also have some serious trouble actually making – not just seeing – IT security as a major keystone of business operations.
So we're still witnessing nimble and crafty CISOs getting creative and looking at IT security implementations to see where automation and other means of streamlining information assurance practices can occur. Many of these savvy CISOs also are working more closely with business units than ever before, trying to ensure that IT security costs are built into their individual projects from the jump.
In the past, some of my IT security friends have said this may just be a part of the natural evolution of IT security – that is, because there are so many negative and positive factors influencing whether or not they get all they need to effectively build and maintain the best and most robust security postures for their companies, they're simply forced to find ways to better integrate these much-needed procedures and practices into the various functions of the business. And they have to achieve this by any number of methods.
On the plus side, this hopefully will see security increasingly becoming more and more the responsibility of the entire organization – not just one lone department railing against both the bad guys and continuously constrained budgets. So, CEOs may not just be talking about security over a beer or two with someone like me, but will be having more fruitful, less contradictory and more beneficial discussions with the hardworking pros charged with safeguarding their corporate infrastructures and the data on them.