Les Bell
Blog entry by Les Bell
A recent report released by trust management firm Vanta confirms a gloomy picture of the current state of cybersecurity across businesses in general, with two-thirds of businesses saying they need to improve security and compliance measures and almost one in four (24%) describing their security and compliance strategy as reactive.
Vanta's State of Trust 2023 Report, based on research conducted on their behalf by Sapio Research, surveyed the behaviors and attitudes of 2,500 business leaders across Australia, France, Germany, the UK and U.S. in order to understand the challenges and opportunities they face. In short: the expansion of attack surfaces in a post-pandemic world of hybrid work, coupled with shrinking teams and budgets, not to mention the rapid rise of generative AI, are fueling an urgent need for companies to raise their security posture - and to be able to demonstrate this to customers, investors and suppliers.
For companies of all sizes, limited visibility of risks, coupled with resource constraints, pose a challenge to security improvements. Only four in ten organizations rate their risk visibility as strong. But one in four has downsized IT staff, and 60% have already reduced IT budgets or are planning to do so as they grapple with an increasingly challenging global economic environment.
Two thirds of respondents say that customers, investors and business partners are increasingly seeking assurance of their security capabilities. While 41% provide internal audit reports, 37% supply third party audits, and 36% complete security questionnaires, one in eight (12%) admits they do not or canot provide evidence when it is requested, leading them to miss out on business opportunities. According to the report:
- Businesses spend an average of 7.5 hours per week – more than 9 working weeks a year – on achieving security compliance or staying compliant.
- Over half (54%) are concerned that secure data management is becoming more challenging with AI adoption with 51% saying that using Generative AI could erode customer trust.
- The two biggest barriers to proving and demonstrating security externally are a lack of staffing and lack of automation to replace manual work.
- Only 9% of businesses’ IT budgets are dedicated to security, with 1 in 3 leaders saying their IT budgets are continuing to shrink.
- Identity and access management and data processing that doesn’t comply with regulations are the two biggest blind spots for organizations.
Those who do make efforts on security report positive benefits; a majority 70% of leaders say that a better security and compliance strategy positively impacts their businesses thanks to stronger customer trust, while nearly three in four (72%) agree that a better security and compliance strategy would make them more efficient. Key to achieving this is automation; an overwhelming 83% of businesses have or plan to increase their use of automation, particularly for reducing manual work and streamlining vendor risk reviews and onboarding.
In order to achieve this, they are looking to artificial intelligence and machine learning, with 77% of businesses already or planning to use AI/ML to detect high risk actions. Respondents believe the biggest potential of AI will be improving the accuracy of security questionnaire responses (44%), eliminating manual work (42%), streamlining vendor risk reviews and onboarding (37%), and reducing the need for large teams (34%).
The survey results illustrate the different viewpoints around the world:
- Respondents in Australia are the most concerned about Generative AI’s potential impact on customer trust.
- Organizations in Australia are least likely to be able to provide proof of compliance to customers.
- 76% of leaders in France say they need to improve security and compliance, the highest of all markets.
- UK leaders are more concerned with keeping up to date with evolving regulations than any other market.
- Germany is one of the most likely to say that the volume of standards and regulations is a barrier to maintaining a robust security program.
- Leaders in the U.S. are most likely to delay entering new markets due to compliance requirements, admitting they’re not prioritizing compliance due to the financial investment.
- Companies in the U.S. believe they could save at least 3 hours a week by automating security and compliance tasks – the highest of any country.
While all this paints a somewhat gloomy picture, I'd say there are some important lessons to be gleaned. The first is for companies to focus on security first, and worry about compliance second. Focusing on compliance is putting the cart before the horse, and often leads to a checkbox mentality that does little to actually improve security. (I suspect this might underlie some of the attitudes reflected above from Australia and Germany.)
An insightful comment I saw recently puts it well:
Effective information security programs mitigate the risks that you face to a level that you can accept.
Compliance programs mitigate the risks that you present to others, to a level that they can accept.
You cannot achieve the second without the first. Now, having said that, compliance ultimately is important, especially in enabling new business relationships. The answer is to make use of a security framework - such as the NIST Cybersecurity Framework - which can then be used to cross-reference each control implemented against relevant standards - such as ISO 27001, HIPAA, etc. - in order to demonstrate compliance.
Having gotten this process under way, companies then will be in a much better position to take advantage of the automated reporting, for both internal management and external compliance, offered by Vanta and similar companies.
Uncredited, State of Trust Report 2023, Vanta Inc., 8 November 2023. Available online at https://www.vanta.com/downloads/the-state-of-trust-report-2023.
Upcoming Courses
- SE221 CISSP Fast Track Review, Sydney, 11 - 15 March 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 May 2024
- SE221 CISSP Fast Track Review, Virtual/Online, 17 - 21 June 2024
- SE221 CISSP Fast Track Review, Sydney, 22 - 26 July 2024
About this Blog
I produce this blog while updating the course notes for various courses. Links within a story mostly lead to further details in those course notes, and will only be accessible if you are enrolled in the corresponding course. This is a shallow ploy to encourage ongoing study by our students. However, each item ends with a link to the original source.
These blog posts are collected at https://www.lesbell.com.au/blog/index.php?user=3. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.