Investigation – Cybersecurity: How to overcome conflicts of interest that exist within organizations?
Among the key lessons, this survey:
● Highlights conflicting priorities based on the profiles of decision-makers.
If the stakeholder groups interviewed align themselves with the main objectives of digital transformation, namely that it makes it possible to take advantage of the opportunities offered by new technologies in terms of innovation, reinvention and optimization of processes, and improving customer and user experiences; each family of decision-makers assigns it a different priority.
58.28% of Business decision-makers expect better involvement of the business lines. For 61.97% of IT decision-makers, system integration is the overriding objective when for Security decision-makers, it is information security that is expected above all (for 65.28% of them ). Thus, we see that competing priorities become an obstacle to the successful transformation of the business.
Regulatory compliance and realignment of activity on digital channels are among the priorities placed in 2nd or 3rd position by all decision-makers.
• Recalls the complexity for organizations to find where to place the cursor.
Budget constraints are permanent obstacles to improving security in organizations. 47.09% of decision makers, all functions combined, put the budget in pole position of the brakes, before the lack of skills (40.93%) and the fragmentation and lack of integration of security solutions (39.93%) .
Yet each category of decision-makers has its own priorities. For Business decision-makers, the main obstacles to improving safety in companies are: 1. budgetary constraints (52.98%), 2. lack of skills (43.71%), 3. difficulty in arbitrating between security and business priorities (41.72%).
For the Security functions, budgetary constraints are indeed the brake # 1 (50.93%) but they rank second and third respectively the fragmentation and the lack of integration of security solutions (43.2%) and lack of skills (39.81%)
Finally, for IT decision-makers, budget constraints (39.74%) come after the fragmentation and lack of integration of security solutions and the lack of skills which rank equally (40.17%).
These figures demonstrate how finding the balance between security and achieving operational efficiency is a difficult challenge for most organizations.
● Reveals a key imperative: that of integrating security when planning any new development
Although most organizations agree on the benefits of by design security, in reality few have actually put it into practice. When it comes to new projects and initiatives, security remains an afterthought for more than a third of organizations.
“By design” security is used at all levels of the company in only 13% of organizations, even though almost half of them (49.78%) adopt it on an ad hoc basis or on a case-by-case basis. .
The survey also reveals that if 92.2% of organizations take risk analysis into account when guiding investment decisions – and if 81.4% of them believe that their approach to cybersecurity is already aligned with a risk management policy; only 26% of organizations take cybersecurity into account when planning any new business initiative.
• Invites to rethink the governance of cybersecurity.
Neither a railing nor a firefighter, the RSSI has a fundamental role to play. With a better vision of risk, the RSSI is a key player within the company because it is the only one capable of transposing cybers threats into Business risks and of recommending solutions that are appropriately sized. It is up to him to take this risk-based approach to cybersecurity and disseminate it to all levels of the organization through tools and, above all, cultural awareness. With the ambition, the reduction of conflicts of interest within the organization.
If this study was done before the coronavirus crisis, its results are all the more precious. With the proliferation of cyber attacks during COVID-19, this episode unfortunately demonstrated that our resilience is increasingly based on digital systems, and therefore on our ability to protect them against threats that the crisis is only making. exacerbate. However, the challenge for a business is not to limit the damage, but to remain competitive no matter what.
The digital transformation crystallized by cultures and business objectives…
If 100% of respondents say they have implemented a digital transformation program within their organization, this score hides another reality because the respondents do not give the same meaning. This is mainly due to the fact that their functions differ.
For Business decision-makers, digital transformation means in priority “innovate, develop new products / services, accelerate time-to-market” (62.3% of them) while the same percentage of IT decision-makers think that it It is above all about “improving the user experience to increase satisfaction and / or engagement”. At the same time, for almost two thirds of the Security functions (65.9%), it is first of all “making more decisions based on data”.
… And differing expectations
Business functions expect digital transformation to give priority to “better involvement of the trades”, while for IT functions, “system integration” remains objective # 1. Unsurprisingly, the Security functions want above all to allow it to “ensure the security of information within the organization”.
Conflicts of interest difficult to overcome.
The intrinsic characteristics of the businesses and the very essence of the objectives linked to each function make the “Risk versus Agility” equation difficult to solve. An observation made by all of the organization’s functions. If for 62.8% of respondents, “innovate, develop new products / services, accelerate time-to-market” is the # 1 objective of digital transformation, 67% nevertheless believe that the reconciliation of competing priorities is the major obstacle to the implementation of an effective digital transformation.
Cybersecurity: a risk not as well understood as some people think
While improving operational efficiency is the main objective of all functions (24.96%), it is not fully perceived as bringing value. For this reason, it too often finds itself sacrificed to other issues. In addition, there are budgetary constraints, the fragmentation and lack of integration of security solutions and the lack of skills. These are the brakes that prevent going beyond what is required by the regulations and the supervisory bodies in this area.The need to move from the absolute notion of security to the relative notion of risk…
Translated into risks, IT security is no longer an obscure and costly constraint, but an objective element of management. Adopting a risk-based approach makes it possible to understand the potential impacts on the business. The challenge then becomes comprehensible to everyone, measurable and comparable, so that the company can set objectives, clear rules and measure the progress made with regard to the investments made.
… and integrate security when planning any new development
Cybersecurity should not be an option. However, if more than half of the decision-makers questioned are convinced that the integration of security when planning a new development is a source of values; again in reality this remains a real challenge: only 1 in 10 companies takes up the subject at this stage (13%) and an additional 50% adopt it on a case-by-case basis.
In risk management, adopting a risk-based approach to explain business impacts is the essential starting point for an effective cybersecurity approach.
A metamorphosis underway … but a lure of profit that persists
In terms of security, the lines are starting to move. It should not be a one man affair, but an integral part of the culture of each profession. Organizations have already started its migration to the initial phase of building the digital platform, which is a good sign. All functions combined, nearly 26% of organizations integrate it from the design stage (37.7% of Business functions, 27.3% of Security functions and 23.2% of IT functions).
Despite the promise of a secure workplace transformation, in an increasingly competitive market, organizations are unfortunately still willing to sacrifice user security to support business initiatives. Only the CIO is more ready to face regulatory risks than user safety.
Rethinking cybersecurity governance to accelerate change
If IT security managers and senior IT managers are aligned with the benefit of a formal and ingrained approach to security; Beyond this central objective, their views differ when asked about what is most important in operational security.
Security managers place a strong emphasis on integrating security across the enterprise (integration and optimization in support of Business). IT functions are well aware of the challenge of maintaining a dedicated team and are more likely to outsource key parts to security service providers they can supervise.The RSSI, the essential mediator
With a better view of risk, the RSSI is a key player in the enterprise because it is the only one capable of transposing cybers threats into Business risks. It is up to him to take this risk-based approach to cybersecurity and to disseminate it at all levels of the organization through tools and cultural awareness. This is, moreover, the main role assigned to it as a priority by the decision-makers interviewed: “Cooperating with the trades so that they place their activities within an accepted risk framework” (47%), before “Reducing the probability of threats ( internal and external) that weigh on the company and its assets ”(45%) and“ Integrate security into the environment ”of the company to reduce costs and increase efficiency (43%).
” […] It is fundamental to rethink the governance of cybersecurity. Separating IT from security eliminates conflicts of interest. By adapting its discourse and its arguments, by focusing on the concept of risk, known and accepted, rather than on that of security, more vague and demobilizing, the RSSI would then be able to directly obtain the adhesion of the company and its general management. With this support, he could then specify his requirements for IT, which, as a service provider, would respond to this formal request. Explains Martin Esslinger, Partner Devoteam.
Methodology: Survey conducted from 08/22/2019 to 09/19/2019 in France, Norway, Denmark, Austria, Germany, Switzerland, Belgium, Luxembourg and Saudi Arabia – The IDC polling institute interviewed on behalf of Devoteam 601 decision-makers from European and Middle Eastern companies with more than 500 employees. The interviewees were grouped into three distinct populations: Business (CEO, DG, DAF, business managers, etc.), IT (CIOs and other IT managers) and Security (RSSI and other security managers). Respondents were asked about a wide range of factors related to their approach to organizations’ security and the alignment of security objectives with digital and business transformation objectives.