The Bottom Line: IT and business leaders must understand that security cannot be an afterthought in their digital transformation journey. Defining and embedding the right mix of security policies and controls at the very beginning of new IT initiatives will not only enforce good security practices, but it will also ensure cybersecurity and IT teams are well-equipped to maintain good cybersecurity hygiene. And all of that will ultimately help organizations minimize security incidents.
The last two years have seen a significant acceleration of digital transformation programmes, leading to an exponential increase of disparate IT initiatives. While most organizations have tried their best to define and communicate “Security by design” principles, very few have been able to consistently enforce them at the enterprise level. In our latest Cybersecurity Pulse study, almost one of every two (47%) respondents reported that the lack of cybersecurity oversight and controls governing new IT initiatives has been the biggest contributor to security incidents in the past 2 years. And this “foundational” issue had a direct and/or indirect cascading effect on other factors which in turn significantly contributed to security incidents:
- Thirty-nine percent (39%) of respondents flagged that human error caused by inadequate procedures and/or training has been the second biggest contributor to security incidents. If new IT initiatives go under the security radar or are lightly scrutinized, standard operating procedures will de facto lack the necessary controls. This in turn will drive ineffective operational processes leading to processing and/or monitoring errors. It is not a surprise that twenty-two percent (22%) of respondents have also reported that inappropriate controls have notably contributed to security incidents.
- Thirty-five percent (35%) of respondents highlighted that one of the biggest contributor was the inability of existing cybersecurity teams to cope with the increasing volume of security activities. Understaffing is generally a consequence of bad planning and in this case, not involving cybersecurity teams during project mode and not appropriately capturing the impact of new IT initiatives on existing business-as-usual activities. Increase in workloads must be accompanied with workforce augmentation that can take multiple forms, such as hiring new internal staff, expanding the support provided by managed security service providers, or increasing the level of automation.
- Seventeen percent (17%) of respondents reported that poor cybersecurity hygiene has contributed to an increased volume of security incidents. Bad cybersecurity hygiene generally cascades through the IT environment, leaving organizations more vulnerable to security breaches. The prerequisite for having robust and consistent cybersecurity hygiene is to have adequate “housekeeping” procedures and controls embedded into IT processes. Substandard cybersecurity hygiene practices are generally the consequence of poor security design.
