The harsh realities of protecting Australian enterprise

While the topic of IT security was once technically obscure and of little interest to the running of a large organisation’s business operations, the mood in the boardroom is starting to change.

The Fortinet Security Census 2014 has uncovered the harsh realities of protecting businesses from the unpredictable and increasingly problematic challenges of cyber attack, data theft and other IT security concerns.

This research exercise was undertaken in August 2014 on behalf of Fortinet by the independent market research company Lightspeed GMI1. It polled 1,610 qualified IT decision makers (ITDMs) including CIOs, CTOs, IT Directors and Heads of IT working at large organisations from 15 countries around the world, including Australia.

In this research we learnt a great deal from exploring the current perceptions of IT leaders (CIOs, CTOs and IT decision-makers) about the challenge of IT security and the changing dynamics within large organisations driven by newer technologies, increasingly complex and frequent threats, and the quest to use technology to deliver innovation.

Increasing boardroom pressure for IT security

High profile IT security attacks and national security scandals have been a common feature in the worldwide news reports of the last 12 months, and this is borne out in the dramatic increase in pressure, awareness and involvement in IT security matters coming from the direction of the boardroom. The pressure on Australian senior executives about IT security had increased markedly from one year ago, when 38 per cent of respondents reported a high or very high rating of pressure, to today when the figure is 65 per cent. This 71 per cent jump in pressure was the highest of the countries surveyed with the financial services, retail and public sectors feeling it the most. This is significant in comparison to a 27 per cent increase in pressure across the APAC region and globally.

Boardroom influence is having a positive effect in many quarters, with our survey finding that the lion’s share of ITDM respondents was not only satisfied with their present resourcing levels for IT security, but also optimistic about those levels increasing. Three out of four ITDMs agreed that they had been provided with sufficient resources for IT security in the last 12 months, and a total of 77 per cent believe they will have sufficient resources in the next 12 months.

The pressure on maintaining IT security is not made any easier when considering the conflicting views on the value of reputation. While the research didn’t poll senior non-IT business executives themselves, it did collect ITDM’s perceptions on the priorities of this group in terms of IT security. IT decisions makers (ITDMs) perceive differences between what they and senior business executives deem signs of a successful IT security strategy, especially when it comes to the objective of ‘avoiding getting a reputation for poor data security’. ITDMs believe this is senior executives’ highest critical success factor (30 per cent) while placing it firmly at the bottom of their own list with only 12 per cent.

Securing the enterprise becoming harder to achieve

The growing pressure on ITDMs from the boardroom is having a direct impact on the increasingly challenging job they have keeping their organisations secure. Up to 85 percent of Australian respondents believe the job of keeping the organisation secure has become more challenging, with the rising volume and complexity of threats the biggest culprit. C-level IT leaders are suffering the most with nearly 50 per cent saying the task is ‘significantly’ or ‘substantially’ more challenging according to some factors.

It’s getting harder to combine security with business innovation

One of the most troubling findings from the research is that so many ITDMs clearly find it difficult to pursue their innovation objectives because of security concerns.  Fifty-two per cent of all ITDMs surveyed have slowed down or cancelled a new application, service or other initiative because of cyber security fears. The figure is 55 per cent among those reporting the highest level of boardroom pressure and scrutiny around IT security.

Globally and in APAC, this figure spikes to 63 percent. The types of services, applications and initiatives involved in these instances where security scares off innovation, appear to be dominated by mobility related initiatives and applications. These include internal mobile apps (40 per cent), external mobile apps (38 per cent) and the introduction of new corporate devices/BYOD (32 per cent).

The high profile issues surrounding data privacy and big data are provoking action, with up to 83 per cent of Australian ITDMs planning to change their outlook on IT security in response. The majority in each case is inclined to rethink existing strategy to address the challenge rather than spend more money and resources. This is the inverse to the response globally, where biggest companies are the most likely to invest.

Where once the topic of IT security was technically obscure, and of little interest to the running of a large organisation’s business operations, today we know that boardroom executives are very interested, involved and concerned about providing sufficient resources to their IT teams to keep the business secure.

While these interventions could have a counter-productive effect in overcoming the IT challenges, this is counterbalanced by the positive benefits of boardroom executives’ involvement in IT security. The vast majority of ITDMs were seemingly content with the resource levels they are provided with to address IT security needs both now and in the future.

What exactly to do with these resources was not fully interrogated by this research, but consistently apparent were the major priorities of managing data privacy and big data, as well as coping with the increasingly complex and aggressive threat landscape. Investment will be a significant part of addressing their objectives – particularly in respect of data privacy.

One emerging global strategy appears to be the outsourcing of security capabilities to managed security service providers, while still nascent in Australia

Perhaps emboldened by their adoption of many other cloud services, ITDMs implied a positive acceptance that many kinds of security function – included advanced level functions – were suitable for outsourcing. This will be an interesting trend to track in Australia, with all indications pointing to its upward trajectory globally.

Another finding for closer examination in the future is the worrying response to our question about stalling innovation because of security concerns. While the process of testing boundaries is a natural and positive part of innovation, the fact that more than half of respondents said they paused or even abandoned important business initiatives is not good news. It was not surprising to see that those ITDMs seeing the biggest internal pressure from boardroom bosses were the most likely to be scared off of innovation.

IT professionals are valuable because they drive innovation into the business, not least because they supervise the machinery of data and communications technology. IT security should be flexible, intelligent and resilient enough to always say ‘yes’ to innovation, rather than ‘no’.

Such resilience only comes through commitment to a cohesive lifecycle approach that confronts all the many facets of today’s cyber threats. This allows enterprises to grow, take advantage of new technologies, be compliant to regulatory requirements and forever remain trustworthy in the eyes of their market.

James Young is consulting systems engineer at Fortinet