A recent Microsoft survey of business leaders from India, Germany, the UK and US provided a picture of how corporates anticipate the pandemic could impact cyber security over the long term. While a majority of leaders (58%) are increasing security budgets, with some of the largest increases on a regional basis seen in the US and Germany, 81% felt pressure to reduce overall security costs. The additional spend is being put towards additional security staff first and foremost, and increased outsourcing.
There is also clear evidence of a shift in the security mentality of organizations as 94% of respondents indicated they are accelerating adoption of ‘Zero Trust’ — the security concept and architecture that dictates that anything inside or outside a corporate IT network cannot be trusted and must be verified.
It is encouraging that the heightened cyber risk environment since the pandemic is also being accompanied by a shift in organizational security mentality. This is a positive sign as Cyberhedge ratings demonstrate that being good in ‘people and process’ underpins strong cyber governance.
Importantly, the survey reveals a key tension most organizations are now wrestling with. At the same time that companies face unprecedented risks, they are also coming under pressure to cut costs, including security budgets. This places increased demands on existing security programs to execute effectively and justify the resources allocated to it.
Yet, according to Mandiant data, 65% of the time CISOs don’t know that an attack can bypass their defenses. This is partly due to the fact that the rate at which IT controls are misconfigured is alarmingly high. In short, security resources are often squandered on technology redundancies and the underutilization of the technology capabilities companies already pay for. This in turn places an emphasis on the need for improved security ROI.
But managing the tension between the greater risk demands placed on corporate networks and the pressure to cut costs is only one challenge facing C-suites. The report also finds that cyber resilience is fundamental to business operations. This is true because as operations have been increasingly digitized, the threat of cyber is no longer about the loss of customer or employee data. Business disruptions — most commonly in the form of ransomware attacks — cost companies hundreds of millions in lost operating income, in addition to the direct repair costs.
Microsoft highlights how ‘secure cloud’ is an important part of strong resilience. This is an obvious selling point for products like Azure. Validating security controls to understand what is working and what is not is another part of the solution. And quantifying the risks in financial terms and managing them like C-suites manage any business risk is yet another.