The Future of Cybersecurity – Deloitte

Deloitte publishes its “Future of Cyber Survey” after surveying over 500 C-suite executives with responsibility of cybersecurity in organizations that make at least $500 million in annual revenue. We will review and summarize some of the findings of the survey in this blog.

As organizations focus on digital transformation initiatives, they realize that cyber has entered every phase of a business, from product design, to manufacturing to customer use. Cyber is a company-wide responsibility and includes areas like the Internet of Things (IoT) and the cloud. With finite budgets and resources, cyber c-suite execs feel like their biggest challenge is the integration of cyber transformation initiatives. The ability to apply a high level of cyber strategy and security as well as delivering day to day management will likely be taxing on even the most proficient cybersecurity teams.

CSOs and CIOs found cyber transformation to be the biggest challenge of cybersecurity management across enterprise infrastructure by 35% and 34% respectively.

Organizations are focused on two out of five of the core National Institute of Standards Technology’s (NIST) framework – detect, respond and recovery— while cyber governance absorbs the third top spot. This leaves other areas, like Identity and Access Management, left behind.

Deloitte also found that cybersecurity budgets are evenly spread across all areas, presumably to mitigate risks. With 90% of respondents reporting that cyber transformation budgets are at less than 10%. This is budgets that would be realised on projects like cloud migration, software-as-a-service (SaaS) implementation, analytics and machine learning (ML). This reveals a gap in organisational ability to meet cyber-demand.

Only 4% of C-Level cybersecurity executives say cybersecurity is on the agenda once a month at board meetings. 49% say it’s on the agenda at least quarterly.

Boards should consider better amalgamation of cybersecurity initiatives into the agenda with key performance indicators to measure success.

According to Deloitte:

“To drive effective execution of a cyber risk program, executive management needs to structure their cybersecurity leadership team to drive communication and implementation of security across the enterprise and have both the authority and expertise to do so. This is typically best achieved when the cyber function is represented in the C-suite so that the broader organization can better understand the priority and importance of adopting or creating a cyber-secure enterprise.”

It’s important to ensure the IT function has a senior enough role to confidently lead cyber initiatives with line of sight into strategy and operations critical to cyber transformation within the organization. The CISO role has the power to be this within an organization but only 4% of respondents said that the CISO sits on the board.

32% of respondents say the CISO reports to the CEO. 19% say CISOs report to the CIO.

Cyber often gets stuck under IT and may also report to the CIO. IT Security is equated with cyber but they’re often not the same function. This means the cyber budget often rests within the IT budget. This could be why we are seeing the results that cyber isn’t often a priority. CISOs are left with a lack of ability to shape strategy and shift priority.

50% of CIOs say the most common outsourced function of cyber is security operations, and 48% of CISOs chose insider threat detection.

Partnerships are important for cyber initiatives to succeed but wrong decisions and failures from third-parties can be costly. On the other hand, keeping some functions in-house can also be costly. Identity and Access Management, for example is one where only 12% of respondents say they outsource but there is evidence to suggest that outsourcing can be a huge saver of time and development costs.

48% of respondents say that the biggest challenge to application security risk is “lack of appropriate organizational structure to enable the integration of security into application development life cycle”.

Deloitte says:

“As the DevSecOps trend gains momentum, more companies will likely make threat modeling, risk assessment, and security-task automation foundational components of product development initiatives, from ideation to iteration, to launch, to operations. DevSecOps fundamentally transforms cyber and risk management from being compliance-based activities—typically undertaken late in the development life cycle—into essential framing mindsets across the product journey.”

Privileged identity/ privileged access management (PAM) was ranked the top priority for identity security initiatives followed by Advanced authentication, including multi-factor authentication (MFA) and risk-based authentication (RBA).

The amount spent on Identity and Access Management is projected to increase faster than any other security measure. It is the foundation of the digital economy and recognised as an important factor in security posture.

Deloitte says:

“This is also where organizational change must take place—in the consumer experience. The enterprise can no longer relegate consumer identities to be managed solely by the marketing and sales organizations; the security organization should also have input into consumer and third-party data, access, and compliance.”

35% of respondents ranked data integrity as most concerning cyber-threat.

Today’s environments involve troths of data and as such, organizations are having to prioritise their most sensitive data to secure. The more data, the more a cybercriminal will want to find a weak spot and exploit it. 90% of organizations even experienced disclosures of sensitive data within a production environment in the past year.

What Can We Learn From This?

Certainly if you are thinking of starting a new organization, you have the opportunity to “grow a cyber-minded culture and secure by design approach with a strategic cyber risk framework from inception”. For pre-existing organizations, executive management will need to consider how to achieve business outcomes by re-engineering strategies for cyber-risk.

Organizations are already working hard to meet the demands of a cyber-everywhere future but the report also shows that organizations are not yet ready for what’s coming and may need to rethink their strategy. Moving away from focusing on IT problems to focusing on cultural shift may be the only way to keep the pace and shift responsibility of cyber from one organization to the whole organization.