Against a backdrop of increasing cybercrime, lack of security proficiency is impacting Asia Pacific’s adoption of cloud technology and companies’ digital transformation
By Michael Kiss, Director of Complex Security Solutions, Asia, Middle East & Africa, BT
Over the past years, the world has seen an escalation in cybercriminal activity, ranging from cross border attacks, rising card-not-present fraud, increasingly sophisticated mobile attacks, new fraudulent payment schemes and a strong growth in anonymity networks. In combination with the very public incidents of data breach of various companies, serious questions and concerns have been raised over the security of cloud services. In spite of this, one thing remains clear – cloud will continue to be the basis of digital transformation, and coming to grips with this journey is critical to businesses everywhere.
To provide much-needed clarity on the challenge cloud poses to data security, BT has commissioned IDC to conduct an AMEA Security Proficiency Assessment which looked at large multinational corporations in 14 markets to understand their cyber security proficiency levels, use of advanced security technologies, cloud adoption, and readiness in addressing the security challenges posed by cloud.
Cloud security solutions in enterprise
The assessment found that 44% of organisations do not have the security proficiency to address the range of requirements needed to make integrated risk-based decisions and enable optimisation controls in the right place – and this is hindering the adoption of cloud and their digital transformation. The assessment found that organisations in the Asia Pacific (ex-Japan) region languish behind the US and EMEA, with only 45.5% of those surveyed operating at the basic ad hoc level of security proficiency. This patchy security proficiency is particularly worrying given the increasing incidence of cybercrime.
There is also strong correlation between an organisation’s security proficiency level and their digital transformation maturity. This correlation is reflected in a recent BT-KPMG report entitled “Taking the Offensive, working together to disrupt digital crime”. The report found that 73% of directors responsible for IT, resilience and operations at major global companies saw digital security as a board-level agenda item, but only 22% said they were fully prepared to combat security breaches.
The study defined a proficient security programme as one with a complex interplay of technology, processes and people, governed by risk management capabilities and driven by a strategy that enables the organisation to safely make its digital transformation. With so many interplaying factors to contend with, it is no wonder there is such a lack of security proficiency.
Organisations have often suffered an emotional or even impulse buying behaviour when it comes to security investment and need to take a more risk-based approach towards security programmes and practices.
When it comes to security controls, there is a need to focus on credentials and data that aligns with the organisation’s risk profile.
According to IDC, a successful security programme depends upon a multi-pronged approached guided by a strategy that focuses not just on security, technology and compliance, but also on people, processes and economics. The IDC Cyber Proficiency Framework assesses organisations’ levels of advancement via four categories:
- Basic – a basic IT security programme that addresses issues as they arise (57.8% of respondents)
- Proficient – a formal IT security programme with moderate attention paid to security by c-suite
- Highly Proficient – a broad IT security programme encompassing full compliance, which evaluates needs using quantitative cost justification requirements and which has the close attention of the c-suite
- Optimised – a well-defined IT security programme for full compliance and advanced security, which is also closely aligned to the organisation’s business objectives. The c-suite includes security executives at Board level to examine technology-related risks.
As with any major investment, there should be a systemic approach to evaluating organisational strengths and weaknesses, as well as a balanced approach to investing and allocation of resources. Ideally, a ROI assessment will be undertaken, and the cost effectiveness of any additional security functions should be monitored continuously.
Cloud adoption still a big challenge for Asia Pacific companies
While Security as a Service was the top-rated advanced security technology, with the majority of companies having adopted or planning to adopt it in the next 12 months, overall, organisations report very different challenges in cloud adoption.
Only 18% of organisations adopt a “cloud-first” sourcing model, but this is tipped to rise to 40% by the end of 2016. Roughly one in five respondents were still discussing cloud adoption internally, and 40% selectively use cloud services. A number of factors contributed to the hesitation. The lack of visibility, challenges in meeting regulatory/compliance requirements, and a lack of control of security in the cloud environment were rated as the top three challenges brought by cloud adoption. Significantly, 17.8% of respondents believed cloud services adoption posed more security challenges than benefits.
As companies become more mobile and more diverse, we know that having an effective, proficient cyber security programme is absolutely critical for creating differentiated and innovative organisations and enabling the digital transformation journey. Companies that take pragmatic, risk-based steps to sensible cloud adoption, will be the first to realise its many benefits.
