Ovum's recently published 2019/20 ICT Enterprise Insights Survey shows that only 11% of organizations have a fully developed proactive approach to cybersecurity and digital risk, with a further 22% being "well underway." This contrasts sharply with the same question for the 2018/19 results, where more than 14% had a fully developed approach and nearly 30% were well underway. Why would fewer organizations have developed a proactive approach to cybersecurity and digital risk in 2019 than in the previous year?
Although surprising on the face of it, this should have been expected. This is because the cyberthreat landscape expands significantly with each new digital transformation project or initiative, and it becomes more difficult to ensure that this landscape has been adequately risk assessed and decisions taken. As such, it is likely that organizations were more confident in the earlier survey because "they didn't know what they didn't know." As the initiatives and the landscape have both expanded, realization has set in about what the task involves.
Technology continues to offer enterprises better ways to serve customers and citizens. The cost of doing nothing must be balanced against the necessary financial investment and benefits of delivering digitally transformative projects. What must also be taken into consideration are the risks of undertaking these projects and how any identified risks must be addressed.
Few organizations, if any, have avoided "digital transformation." Approaches vary between ad hoc and formal, established programs; initiatives range from minor to major, but digital transformation is happening everywhere. Digital risk focuses linking risk with digital innovation and Ovum research has revealed that approaches to digital risk are immature in many organizations.
Cybersecurity approaches are well-established in many larger organizations, often with a chief information security officer (CISO) leading the way. Smaller enterprises are continuously learning from and applying cybersecurity standards and frameworks available to them to improve security posture, often under the remit of the CIO or IT manager. Digital risk, however, rarely has one role leading the way, even in the largest of businesses. It is a very wide subject requiring board-level involvement but with no standard way of organizing and leading the team. Standard governance models are not commonly used and there is frequently uncertainty over where responsibility lies.
Approaches such as this leave enterprises exposed. Instead, organizations must grasp the nettle when it comes to digital risk. Transformative projects can improve products and services to customers and citizens, they can increase top and bottom-line revenues, but they can also introduce risk. Getting a handle on these risks, understanding what they are and how they should be treated (accept, mitigate, or transfer), is essential if an enterprise is to remain in control of its security posture. Having a role in charge of this is a positive first step.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.