The report is based on an independent survey of 300 operational IT decision-makers and 300 security IT decision-makers across the UK and the US.
While cyber security is receiving increased attention and investment, with global spend predicted to exceed $1tn through to 2021, the report said the biggest gaps continue to exist in plain sight.
More than three-quarters (77%) of respondents believe they are not extremely well prepared to react to a serious data breach and 60% said they have experienced a serious security breach in the past two years, with 31% saying this has happened more than once.
Eight out of 10 claim digital transformation increases cyber risk and less than a quarter (23%) believe their IT operations and IT security teams work together extremely well to secure the business, despite 97% saying their organisation would benefit from better collaboration between these teams.
On average, respondents said they have visibility of just 64% of their organisation’s total software estate and only 66% of this software is current.
More than three-quarters (77%) said remote working will continue to be a security concern until organisations can find a way to reach, patch and secure remote workers effectively.
The majority of respondents are seeking to increase investment in areas such as software migration automation (80%), breach response and remediation (67%), and/or software patching (65%)
“Businesses are losing control of their estates because of fundamental issues such as the widening gap between IT operations and IT security and deferred responsibility,” said Sumir Karayi, CEO at 1E.
“There is also a lack of understanding of where the security focus should be. While budget can easily be allocated to the sector, CIOs have the challenge of explaining the pivotal need for areas like patching, which can feel mundane.
“But without this hygiene, companies must constantly defend against new vulnerabilities or risk a major breach. This creates a phenomenon called the software arms race, an unabated competition between exploiters and the entire software industry. Set on a continuous loop, one creates an issue, the other builds defences.”
Kurt De Ruwe, CIO of lighting company Signify, said IT operations and IT security teams must work together, agree aims and create a shared toolset.
“When something does go wrong, don’t play the blame game,” he said. “If you point a finger, there are usually three fingers pointing back. Use your collective energy to solve the problem instead.
Looking wider, De Ruwe said new technology is an important way to empower IT operations better. “Live information is really important because viruses, phishing attacks and all these things happen from moment to moment, so you need to be able to react quickly,” he said.
“There was a time when you could afford to wait a week or two before you had the information. Today, real-time information makes all the difference.”
The research report concludes with a 10-point action plan for businesses, compiled by cyber security expert Michael Daniel, former special assistant to US president Barack Obama.
“Too often, I see organisations expend far too much budget and resources on new and expensive tools,” said Daniel. “But the real problem isn’t always down to a lack of technology – it’s often the lack of a cohesive relationship between IT security and IT operations, which can result in gaping holes in the organisation’s security profile.
“While you can never drive your cyber risk to zero, if IT and cyber security operations work together, you can dramatically lower your risk profile.”
Ten ways to lower an organisation’s cyber risk profile:
1 Align goals closely with the business for pragmatic security versus operational requirements:
- Agree on which IT systems are most critical for business operations to determine.
- Identify systems that could be retired to allow for efficiency gains and reduced security requirements.
2 Create shared objectives and responsibility for IT security and IT operations:
- Seek 100% asset visibility.
- Upgrade and patch based on an agreed set of shared KPIs.
- Ensure your critical assets are patched and updated as a priority.
- Mitigate the resulting vulnerabilities if you can’t patch or update.
3 Employ a common set of tools and appliances:
- Remove siloed/duplicate tools for transparency, operational efficiency and cost-effectiveness.
- Have one (agreed upon) source of truth.
4 Automate patching and updates to the maximum extent possible:
- Minimise the need for human intervention where possible.
- Enable remote workers to self-serve for OS upgrades to reduce the burden on IT.
- Enable operational and security tasks to be carried out in real-time on every endpoint without distracting users.
5 Create transparent progress reporting for IT and security teams:
- Ensure everyone can see progress towards the visibility and patching goals.
6 Establish consistent reporting on security posture to the board:
- Develop a KPI-driven framework for board reporting that increases awareness of security posture.
- Make both IT operations and IT security accountable for the achievement and reporting of these KPIs.
7 Join a cyber information sharing organisation relevant to your industry:
- Make sure your IT operations and IT security teams have access to the latest threat information.
- Adjust your operations and security posture based on that threat information.
8 Identify who is responsible for what actions during a cyber incident:
- Develop a clear and shared incident response and recovery plan.
- Rehearse such eventualities.
- Integrate the technical response activities with your company’s broader incident response plan.
- Develop the capability to recover from cyber incidents when they occur.
9 Break down barriers to communication:
- Communicate priorities and goals from management.
- Physically locate IT operations and IT security together if possible.
- Incentivise regular communications between IT operations and IT security.
10 Update your action plan, KPIs and priorities at least annually:
- Adapt priorities to stay consistent with business needs.