One of the great paradoxes of IT security is that the people being protected by IT security technologies have more faith in them than the IT professionals that deploy and manage those technologies.
A recent survey of 1,110 senior executives conducted by The Economist Intelligence Unit on behalf of VMware finds that 40 percent of IT executives expect a major attack on their organization to be successful within the next three years. In contrast, only 25 percent of the C-level executives felt the same way.
That dichotomy might narrow in the months ahead as attacks such as ransomware become more common. But for IT service providers focused on security, the challenge they regularly face is convincing C-level executives that more dollars need to be allocated to IT security.
Making security a higher priority
Unfortunately, business executives tend to think of IT security spending in terms of a percentage of the overall IT budget. The IT budget, of course, is usually a fraction of the overall revenue a company generates in any given year. As circumstances of the business might warrant, many IT leaders have historically felt that the IT security budget could easily be cut in any given year by, for example, not upgrading firewalls.
The good news is that this situation is starting to improve slowly but surely. Many organizations now think of IT security as an exercise in risk management. In fact, much of the IT security budget often gets allocated via a chief risk officer rather than the chief information officer (CIO). Sitting between those two executives is usually a chief information security officer (CISO) that has a dotted line relationship to the CIO.
The Economist study makes it clear that from a tactical perspective IT security has never been a higher priority among technology executives that overwhelming cite it as the organization’s top overall priority. For C-level executives, cybersecurity comes in a distant ninth out of ten top organizational priorities. Of course, that really only serves to illustrate why Mr. Robot should be mandatory viewing for business executives. About the only thing both types of executives agree on is that if their customers find out there was a breach of customer data everybody is going to be in a world of pain.
Benefits of external security expertise
The issue that all this highlights for IT service providers is just how hyper-focused IT executives are on security. The obvious upside of that is they're more willing to focus time and money on it. The downside is there’s a natural tendency to think that IT security is a task they should be responsible for maintaining.
Instead of relying more on external expertise, far too many IT executives are focused on tactical security issues such as firewall management. That’s not to say IT security management isn’t important. It’s just that there’s usually some external service provider that can do it much better. More importantly, every minute internal IT spends on IT security is one less minute they have time to add value to the business elsewhere. Most business executives would prefer to see more secure applications being rolled out faster by relying more on third-party security expertise provided in support of more agile application development.
The real challenge facing IT service providers is how to foster that dialogue. IT security has never been more critical. But history has shown time and again that the more critical something becomes, the better off everyone concerned is to leave it in the hands of the experts.