Cybersecurity is a bit of a mystery to me. In the IT world, there’s a certain rhythm to most discussions. When something is new and shiny, we talk about it A LOT. Then we either figure out how to fold the new thing into operations and we talk about ways to make it more efficient, or it fades into the background and we stop talking about it altogether. During my time at CompTIA, cloud computing and unified communications were two examples that followed different paths. Both topics were the center of the universe, then cloud became widely adopted and got folded into infrastructure practices while we don’t hear much about unified communications anymore.
Cybersecurity doesn’t fit the pattern. It’s certainly not new… but we talk about it all the time… yet we never seem to reach the point where we have it under control and make it a common part of a daily routine. Maybe this is because cybersecurity has such a strong external component. The bad guys are always trying something new, but usually your cloud provider isn’t totally disrupting the way you stand up infrastructure. Or maybe cybersecurity has always been a reaction to technology decisions, so it’s a constant game of chase.
CompTIA’s new State of Cybersecurity report digs deeper into this mystery. After several years, our study shows that there isn’t much progress around satisfaction with cybersecurity schemes. Organizations recognize that cybersecurity is important, but they either have trouble building the proper approach or don’t know what the right approach is in the first place.
From a high-level perspective to the fine details, we see four areas that can play a role in solving the cybersecurity mystery:
- Policy: In this context, policy refers to the overall mindset an organization adopts. As organizations go further down the path of digital transformation, the most important questions for technology are not around specifications but around strategic objectives. Cybersecurity needs to be viewed the same way. Not as a tax for using technology but as a tool for addressing risk throughout an organization.
- Process: Zero trust is slowly becoming the guiding light for cybersecurity activities. One of the challenges in adoption is simply recognition; zero trust is a broad philosophy driving decisions, not a single product to be implemented. The good news is that many individual actions under the zero trust umbrella are being put in place, such as multifactor authentication and cloud governance.
- People: Cybersecurity chains are growing more mature as organizations bring more groups into the circle of cybersecurity discussions. There is still a need to include business staff more often, especially as business units are more active in technology procurement. But the main focus remains on technical staff. Here, there continues to be focus on specialization and building skills such as threat knowledge, network security and data analytics.
- Product: The suite of cybersecurity tools grows larger and larger as organizations add to existing secure perimeter technology with targeted products such as data loss prevention (DLP) or identity access and management (IAM). As the toolset grows more complex, automation becomes more critical. Automation can help tie everything together and reduce the burden on Tier 1 support, but implementing and managing automation becomes its own task that requires attention and expertise.
This is a lot to handle. And with so many different angles to consider, it’s likely going to drive more investment. Not just in money but also in time and energy as decision makers get more educated on the right way to perform cybersecurity in today’s environment. With more investment, the natural question from these decision makers is: How does an organization know that it’s doing the right thing or making progress?
There are several new metrics that come to mind (number of systems patched or results of security audits are two examples), but the main approach that’s emerging is risk analysis. Organizations are getting better about doing risk analysis as they have to prioritize their applications and datasets. But moving forward, we expect to see risk analysis become a more important driver for cybersecurity activities. Identifying, quantifying and mitigating risk will lead to improvements in processes, skills and tools that go beyond simply building stronger defenses.
Will we solve the cybersecurity mystery in the next twelve months? Signs point to no. This is a complicated topic with a long history, and it’s not easy to change course. But my hope is that when I gather the data for next year’s report, I’ll see signs of progress and maybe more optimism that organizations are improving their cybersecurity posture.
Check out the 2022 State of Cybersecurity Report here.