Sunday, March 6, 2016

(the big disrupt) IT Security: Why do so many organizations still suck at data security?

It has become axiomatic to say that no organization is the same as the other but when it comes to data security, the differences between organizations are few and far between to say the least. 

Back in late 2014, we wrote an article appropriately titled "why so many companies suck at data security" in response to the Sony hack debacle and pointed to number of factors as to why data security was so bad and costly data breaches were on the up and, unfortunately, we can still write the same article with a few updates as not much has changed except the widespread acknowledgement in both public and private sector organizations that data security must become a top priority. 

This acknowledgement of the importance of data security has partly been fuelled by the post Snowden fallout resulting in consumers taking the badly attributed "the price of liberty is eternal vigilance" quote to heart and the endless horror stories of governments and corporations suffering humiliating and costly data breaches which has seen a strong rise in demand for secure product and services. 

Increased demand for secured products and services has had a severe knock on effect on organizations who have astronomically increased their security budgets and created new roles such as CISO's and CSO's and given them the responsibility to keep their data secure.   

However, what we've seen is that CISO's and CSO's have become targets when organizations look for someone to blame for breaches which accounts for why the role has an abnormally high turnoverWhile it can argued that CISO's and CSO's should be held responsible because they have ultimate responsibility regarding security matters, this mindset almost guarantees that companies will be no more safe from breaches as constant change indicates to attackers as well as potential replacements that their security posture is vulnerable to attack and that they won't be given much time to fix problems. 

In this environment, breaches are bound to occur and even proliferate as organizations collect and store more data. This causes headaches for CISO's and CSO's as the sheer volume of data they're asked to secure expands almost in lockstep with the proliferation of technologies such as the internet of things (IoT) . CISO's and CSO's are already feeling the pressure of securing an ever growing IT infrastructure and with many organizations adopting or planning to adopt the IoTthe pressure on CISO's and CSO's to secure notoriously vulnerable IoT networks as well as the vast reams of data they'll collect is going to be ludicrously high. 

In sum, after years of outright underinvestment and costly failure to take data security seriously, organizations across the board have must come to terms with the fact the IT security is irreducibly complex and with the future growth of connected devices, the irreducible complexity poses a challenge that CISO's and CSO's at the time of writing are not in any sense prepared to tackle with an adequate degree of competency which almost guarantees the headline grabbing data breaches that haunt organizations continue. 

No comments:

Post a Comment


Related Posts Plugin for WordPress, Blogger...