Let me give you another statistic. In 2016, across the region, 54 per cent of CEOs had a KPI around IT security. That means between you and me, your CEO cares about it and mine does not, therefore I am never going to get the funding, resources nor the attention required for me to do a sufficient job.
Richard Pain: What are your opinions on KPIs for IT security? Are the right KPIs being used to measure performance?
Simon Piff: There are a lot of KPIs out there, but very few are useful to help businesses understand if security is doing what it needs to do. For example, IT organisations should not just be measuring how many attacks they detected and mitigated, but also, what would the financial impact have been if the attacks had gotten through? This kind of rigour in the business of running IT security does not really exist in the markets across the region.
At the root of this issue is that whilst there are organisations across the region that apply robust risk-management processing, it's very much looking at just financial risk. This means things like is this the right investment to make or have we got the right terms and conditions on these contracts? However this approach can be applied with some tweaks to how IT security operates. Doing so can help an organisation understand what are its key assets to be protected, from whom and at what price, yet at present this kind of rigour rarely exists beyond Government and the military.
Richard Pain: Why is taking a risk based approach to cybersecurity not more widely adopted? Is it just inertia in business?
Simon Piff: I think it's a combination of things. Yes we can say inertia in business, but there's another aspect too. Organisations already invest a fair amount of money in their IT security being resilient, with back up and continuity programs, but how often do they really test them?
There's the old adage: if it isn't broke, don't fix it. The same is often applied to IT security in the sense that, if we haven't been hacked recently, why would we spend money on running a penetration test?
From the budget holder's perspective that makes no sense. Arguably, your company has already been hacked, you just don't know it yet, but either way, they see this as spending more money on something that's not delivering top-line revenue and I think that's the crux of the matter.
Richard Pain: What needs to happen to fundamentally improve IT security within an organisation?
Simon Piff: Cybersecurity cannot just be treated as an IT issue, it instead needs to be treated as a business risk issue that IT can help with. Unless you start thinking in those terms, we're still going to have the situation where the CFO can click on every link they like and then expose the entire network to ransomware, because we're not properly educating all stakeholders from the top down. But if end-users have been trained and mandated not to act in a certain way, and that is enforced by the business, then you will see real change.
Sign up for CIO Asia eNewsletters.