Is there a price to pay for cyber security? Does an effective defense against cyber attacks hinder an organization’s effectiveness and stifle innovation and efficiency? As a recent global survey by The Economist Intelligence Unit (EIU), sponsored by VMware, reveals, many C-suite executives (CEOs, CFOs, COOs), believe it does.
It is a belief that is starkly at odds with the senior technology leaders (CIOs, CISOs) who participated in the same survey. Overwhelmingly, senior technology leaders believe that cyber security does little to hinder business innovations or efficiencies. It’s a remarkable difference of opinion, made even more noteworthy because it exists within corporate boardrooms worldwide. So, what accounts for this difference of opinion? It’s worth a closer look.
The View from the C-Suite
According to the EIU survey, the C-suite believes that cyber-security activity is taking a toll on critical functions. Nearly half of survey respondents said their firm’s cyber defenses delayed launching new products to market, made their company less responsive to customers and slower to respond to competitors, and stifled innovation.
Just as significantly, more than half of all C-suite executives saw cyber security as a huge drain on their management time and attention. A major drain that also requires substantial amounts of scarce, budgeted funds that they feel might otherwise be used elsewhere to help grow and improve the business.
Always Fighting the Last War
It is not difficult to understand why. The security architecture of most firms has been built, product by product, in response to the greatest perceived threat at the time. The result is that most firms’ defenses today are comprised of a variety of proprietary products and services from multiple vendors that tend not to play very well with each other.
Among this range of individually sold products are solutions for threat intelligence, end-point protection, penetration testing, identity assurance, incident response, and anomaly detection. Rather than an elegant, comprehensive security solution, enterprise security today more closely resembles an insanely complicated Rube Goldberg construction—offering many potential flaws and vulnerabilities to the determined hacker or cyber criminal.
Between a Rock and a Hard Place
And so IT teams end up caught between a rock and a hard place: A new cyber defense is deployed only when it becomes a corporate priority to do so. This situation is guaranteed to leave IT teams in a reactive, defensive posture as their organizations battle over budget priorities instead of anticipating and planning for the future.
As the security architecture becomes more complex with each new bolted-on component, the perception that this complexity is harming business innovation and efficiencies continues to grow. It is a perception that grows even more irksome to the majority of C-suite executives because, as the EIU survey reveals, they also tend to feel that an attack on their own firms is not imminent.
Somewhat ironically, when asked to explain why they felt that way, the vast majority (91 percent) of the C-suite executives in the survey responded by crediting the very same cyber defenses they say are causing harm to their firms’ innovations and efficiencies
Changing the Game. Changing the Conversation.
It is clear that security leaders need to better understand the perspective of the C-suite. In particular, they need to realize that as important as cyber security is, it is just one of many contending priorities. At the same time, it is just as important that the C-suite make a better effort to understand the situation from the point of view of the security leaders, and, in particular, the vise they put their security leaders in by making budget priorities dominate security planning and possible future investments. Both ends of the boardroom need to adopt this more holistic approach to be more effective. And with the advent of new thinking about security architectures, now is the right time to begin.
As Larry Karisny, director of ProjectSafety.org, suggests in a recent post on Digital Communities, organizations need to change their current mindset about cyber security. Rather than rely on what they did in the past,they should “think like a hacker,” and begin “protecting innovation with innovation.” What Karisny means is that the technology exists now to beat the cyber criminals at their own game. But only if corporate leaders, both business and security, come together and realize that the old way of doing security—responding to one threat at a time—is obsolete. Cyber criminals use highly sophisticated software to exploit the holes and fissures in current security architectures. They use programs, Karisny points out, “that identify and exploit vulnerabilities in milliseconds. All the employment and training in the world,” he continues, “cannot stop a hacker’s millisecond attack. People don’t think in milliseconds; technology does.”
Karisny is certainly not alone in his line of thinking. President Barack Obama called for an overhaul of the U.S. government’s own cyber security defenses in a recent Wall Street Journal article. He said it was “no secret that government IT is like an Atari game in an Xbox world.” And though he was not speaking to enterprise leaders, the thought is very much the same.
So what is the game-changer here? It is to use new, network virtualization technologies, like VMware NSX, to create a true, next-generation security architecture. This is the solution that will not only enable business innovations and improve business operations, but will, as VMware CEO Pat Gelsinger said in his 2016 RSA keynote, “make security better, faster, and less expensive.” It is clearly in the best interests of the business and security leaders in the corporate boardroom to do so.