istock 637232994

The CEO will often sit and survey his or her business. They think it’s secure but they’re not 100 percent sure. They read a report about a new threat or attack in the newspaper, but they suspect that their IT team has it covered.

But how do these executives know they are properly covered and secured? And in a world of new technologies and emerging threats, what does “covered” mean anyway?                                                                                  

An evolving threat landscape

The example above is fictional but not atypical of businesses today, with many organisations still struggling to stay secure in the face of human mistakes and an ever-evolving threat landscape.

This is backed-up by a new research report from Microsoft and CIO, which found that Chief Information Officers (CIOs) are fighting to keep their organisation secure on numerous fronts.

In a report of 147 senior IT respondents from companies 250+ employees in size, it was revealed that the plethora of threats facing CIOs is wider than it has ever been before.

Asked what their biggest concern for security was in 2017, phishing and social engineering (35 per cent cited) were cited by most CIOs, followed by ransomware (31 per cent). Mobile malware was the lowest rated threat with less than one in twenty thinking it would be the biggest issue they faced, but perhaps this could change given analysts estimate that the number of Internet-connected devices will rapidly grow to 26 billion units by 2020.

The variety of attacks illustrates just how sophisticated cyber-criminals are becoming.

“While the lone teenager pitting their wits against corporate networks may be the stereotypical image, the ‘who’ behind cyber-security threats is actually far more multifaceted, complex, and continually evolving,” says Stuart Aston, chief security advisor at Microsoft.

“It’s not simply malicious outsiders that are the issue. Knowingly or not, employees within organisations can also behave in a way that jeopardises the security of their company’s data.”

In addition, Aston says that with more organisations suffering reputational damage resulting from phishing attacks, “implementing good corporate email security like that recommended by the cabinet office/NCSC (National Cyber Security Centre) is a really good way of mitigating this threat and protecting the community.”

With this threat landscape widening all the time, it’s perhaps unsurprising that the responding CIOs cited “a lack of human resources to monitor for the latest security threats” (48%) and “the ability to keep up with the threat landscape” (44%) as their two biggest challenges, with “staff bypassing security measures and rogue employees” a significant issue for 42% of respondents. Insecure legacy systems (37%), an inability to patch systems quickly enough (24%) and other comments relating to resources and time were also high on the list of the CIO’s pain points.

Indeed, visibility seems to be a recurring theme for the CIO, with the report highlighting that the CIO simply lacks the resources and expertise to stay ahead of nefarious actors. It is perhaps for this reason that the responding CIOs were most interested in acquiring threat intelligence (53%), endpoint protection (53%) and anti-malware technologies in order to improve threat visibility, detection and prevention.

More positively, one thing that appears to be improving with CIOs in relation to cyber-security is board support and awareness. Over two-thirds (69%) of CIOs said that their board understands their organisation’s security challenges ‘very well’ or ‘well’, with only 11% saying ‘not very well’, and 3% saying ‘not at all’.

What is your job?

Sometimes it is worth taking a metaphorical step back and looking at some of the fundamentals driving people in their jobs.

It is self-evident that the CIO is a technologist, interested in problem solving but with information security as only part of their remit. However, unless they work in an IT company, they are not in place to build out more technology in its own right.

The compute goes towards another purpose all together, whether the company is a publisher, a pharmaceuticals company, a builder –  and none of these examples became substantial organisations by becoming IT organisations.

With this in mind, it is reasonable to suggest that a corporate culture and business world that has pushed the CIO into focusing exclusively on the technology - and away from a strategic view of the core business – continues to be a flawed model.

And while it appears that CIOs are gradually becoming more strategic, this same flawed model can still be seen in relation to information security – with the unknowing employee at the centre. All too often, the human is blamed for security errors and this has dire consequences for the CIO and the organization.

Take the example of ransomware. An employee clicks a dangerous link and is temporarily locked out from their files, with ransomware authors demanding £150 to release their data. Fearing for their job, the employee simply pays up and doesn’t report the incident. There is little or no research to suggest this happens but every CIO suspects it goes on and is powerless to stop it – unless they shift the organisation’s culture to allow people to “be human” and make mistakes.

This approach would actually mean allowing the human and the technology to work and interface together, to accept that there isn’t a big dividing line between the two. If employees are scared to come forward, they will cover up. Is the corporate culture to blame for some security risks? And if it is, can this culture be improved by a proactive CIO with supportive technology partners?

Shifting borders to the cloud

Once it’s accepted that corporate culture may be part of the problem it’s worth considering whether all of the remedies on offer are the right ones.

Perimeter control sounds uncontroversial until BYOD starts eliminating perimeters, (the Microsoft survey showed a jury that was distinctly “out” on how to secure a BYOD implementation), while anti-malware solutions can sometimes be found wanting.

What becomes clear is that organisations are moving to the cloud for improved information security. CIO confidence in the cloud appears to be improving – with almost half of CIOs disagreeing that moving to the cloud increases security concerns, with data encryption, traffic encryption and access control the most favourable technologies for protecting data in the cloud.

Given the speed of the evolution of attacks, it is no longer realistic to expect someone who doesn’t have security as a full-time focus to keep up.

A preferred partner, trustworthy enough to put elements into the public cloud, is one sensible option to take the strain off the organisation – and the CIO. And if that partner is the source of much of the rest of the IT in an organisation, therefore having the reassurance of experience and the convenience of the one-stop IT shop, surely that works for everyone.

Clearly CIOs are looking for a partner to provide such solution and it’s clear that Microsoft is one market leader. Microsoft has highlighted as the leader for information security (cited by 57%), compared to rivals AWS (48%), Google (24%) and IBM (26%).

It’s high time the CIO community was set free to work on its companies’ specialisms again – whilst putting the human at the centre of security excellence.

Discover how Microsoft can help CISOs develop a holistic cybersecurity strategy. Click here to access useful articles, infographics and case studies.