Kathy Gibson is at the IDC Security Summit in Johannesburg – If you are not thinking about security, you are not thinking about technology properly.
That’s the word from Mark Walker, associate vice-president: sub-Saharan Africa at IDC, who explains that digital transformation means we are all completely reliant on technology to run our businesses and our lives.
“And it just gets more and more interesting as we go,” he says.
Digital transformation is a reality in South Africa, and we are totally in line with international trends, according to IDC research.
Organisations are all looking to digital transformation to increase revenues, reduce process cycle times and create better experiences for customers and employees.
In fact, about 42% of South African organisations are already starting on digital transformation, with a further 21% about to start and 25% planning it. Just 9% of local companies are not planning to do any kind of digital transformation.
Digital transformation is driving mobility, analytics, cybersecurity and cloud investments, Walker points out. Internet of Things is also growing quickly, with much of the hype now turning into practical considerations.
Blockchain is starting to come of age as well, he adds. “This also changes the security landscape: there is a new way of dealing with security on the one hand; but at the same time, garbage in, garbage out holds true. If those systems get hacked there could be chaos.”
“Research shows that security is really important as part of digital transformation,” Walker says. While there have been some high-profile breaches in the past, he believes we have just seen the tip of the iceberg.
As mobile devices become more prolific, threats will increase; and the increasing automation of devices is also making it easier for cybercrooks to infiltrate systems.
Issues driving the need for security include the acceleration of digital transformation, the impact of artificial intelligence (AI) and automation; global volatility; the new stat-centric paradigm; a rise in the number of cyberthreats; the increase in material connectivity; and business disruption.
The regulatory environment is forcing many companies to look at security as it relates to compliance. However, companies are complying to the letter of the law at this stage, but will probably step up their investments once the first “penalty” incident occurs.
But compliance goes further that the Protection of Personal Information Act (PoPI) and GDPR, Walker points out. Industry verticals all have their own regulations, while ISO standards and directors’ liabilities all take effect.
Against this backdrop, IT leaders battle to get budget, so Walker suggests they learn to talk the language of business, and frame the discussion in terms of risk.
Maintaining security is the top technology-related challenge that IT faces, followed by performance availability, mobility and integration.
IT decision-makers specifically face a shortage of skilled IT security personnel, a lack of sufficient IT security budgets, the ability to stay up to date with emerging threats, poor policy compliance and a lack of mature security policies.
In world where IT is a major driver for business, the balance of power has shifted from the CIO to the user, and budget no longer devolves automatically to IT. Today, as much as 76% of digital initiatives are driven by line of business together with IT; while 16% believe it should be line of business only.
However, while there is consensus that the projects should be done together, only 31% of organisations occasionally meet together. “The highest level of collaboration is at this 31% – but it should be in the 70% and up range.”
Security breaches are still often the result of human error. “You can have the best technology, but it still takes just one disgruntled employee to cause a breach,” Walker says. “We need to work with HR to make sure there are policies and procedures to make sure we block these leaks.”
Line of business managers are not as aware of security, although the number is at 31% now compared to almost none a couple of years ago. Walker believes that as awareness grows, the budgetary discussions should become easier.
Today, only 17% of organisations make IT security a key initiative; this needs to be a lot higher, Walker says.
Chief information security officers (CISOs) should be looking to measure themselves on time to resolve a breach, closely followed by time to respond. “These are two key KPIs,” Walker says.
Compliance is another KPI, along with time to identify a vulnerability, ensuring the right level of skills, and enabling secure business processes.
On the technological front, securing the edge will become a priority, as well as user behaviour analytics, endpoint protection, denial of service and ransomware mitigation, and cloud security gateways to secure bottlenecks.
The new-look CISO will have to have great technical skills, Walker says. But he will also be a good communicator, an effective people manager and a trusted advisor who is always informed and the expert on security.
“Don’t forget the obvious,” Walker says. “Security is about balancing people, processes and technology.”
Year after year, security breaches continue to grow, with finance and technology organisations topping the list of attack targets.
This is according to Mark Thomas, group chief technology officer: cyber security strategist at Dimension Data Cybersecurity, reporting on research from Dimension Data and NTT group, collected from global security operations centres (SOCs), honeypots and incident response teams.
Ransomware is perceived to be the top threat, with a 350% year on year increase, driven by two high-profile attacks during the year.
Spyware and keyloggers, however, top the list of threats globally. This could indicate that there is a shift from “smash and grab” attacks to long-term data gathering.
Business and professional services came into the global top five for the first time. However, finance and healthcare are most likely to seek out response assistance.