Marc Dowd
Marc Dowd (Principal, European Client Advisory)
Tom Schwieters
Tom Schwieters (Vice President)

We were delighted to host the second IDC Digital Leadership Think Tank of 2022 on February 24. Nearly 50 digital leaders from around Europe joined the call to discuss the realities of managing cybersecurity alongside the evolving issues around privacy and regulation. Marc Dowd and Chris Weston from the IDC Executive Advisory team were joined by Joel Stradling and Ralf Helkenberg from IDC’s Security and Privacy practice.

Managing Expectations

The meeting started with an anecdote from one of the CIOs present about a colleague who had been asked to set themselves an OKR (objectives and key results) methodology of zero successful cybersecurity attacks on their business. This led to a lively discussion about the possibility of such a target being reached. Attendees agreed that cybersecurity is about deciding the level of risk that is acceptable for the organisation weighed against the cost and restrictions involved in an extreme security posture. Communicating this reality and giving board members genuine options that can be understood and evaluated is a key part of the role of the CIO and/or CISO depending on the organisation. IDC’s Joel Stradling recounted conversations from his CISO community — “We were trained to identify and manage cyberthreats, not to communicate with and manage board members” — while another CIO on the call shared that their cybersecurity training for employees was mandatory but no consequences were forthcoming if it wasn’t taken. There is clearly much work to do in setting and managing expectations around the top table when it comes to cybersecurity and the culture that is needed for everyone to contribute to a safe working environment. As many agreed, the key is to speak to the board in the language they understand and explain the risks to business operations in a very specific way — jargon is quickly ignored.

Cyber Resilience Taking Shape

Helkenberg explained that the concept of cyber-resilience is beginning to gain traction in many industries. This can be defined as a focus on building an organisation’s capacity to anticipate, withstand and recover from adverse events by applying appropriate security principles to the design of processes and interfaces. He said this is being driven by external forces such as the rapid increase in ransomware attacks and the response from insurers and other affected parties. The EU Digital Operation Resilience Act (DORA) is likely to be implemented before 2025 in the finance sector to compel organisations in that area to implement safeguards to mitigate cyberattacks and related risks.

Zero Trust in the Real World

Several of those on the call talked about their approach to zero trust as a concept, some applying it digitally and others going further to take the view that people are part of that zero-trust landscape. A contributor explained that the most common operating systems tend to start from an open standpoint and that administrators have to close down services and ports as they decide on security measures. In his experience the reality of cloud migration and a hybrid architecture means that many communication pathways remain open and this is a potential source of problems and a blocker to operating a zero-trust methodology.

Stradling described zero trust as being a journey, rather than a one-off effort. IDC defines zero trust as no level of trust being automatically applied to any end users nor to any computing or network resources. Stradling also said the 3-2-1-1 backup approach is becoming more popular, which adds an offsite and offline location to store backups alongside the traditional three copies of data, two different media and one online offsite store.

Managing the Team

A genuine source of concern in the meeting was a lack of trained people and rapidly increasing salary expectations. Many organisations, especially government, are not able to compete with the rates now being offered. There is hope in automation, but this isn’t without difficulties. Stradling explained how automation can reduce the need for trained people and reduce security analyst burnout, leading to staff churn. Tools such as XDR/MDR and the use of AI/ML can help, but how much are organisations willing to delegate to the technology? Skills are still needed to interpret the outputs of these systems and make decisions or recommendations based on what is seen. For some in the room, the idea of reducing headcount to a “one person SOC” is loaded with different risk around the single point of failure that remains.

Conclusions

As the meeting came to a close, we talked about the need for organisations to inform their CEOs of digital risk, to be clear about the implications of failure and sometimes it being necessary to frighten your leadership team a little to get the message across. The concept of the chief trust officer was of interest, being responsible for privacy and compliance, ecommerce and trusted ecosystems, even ethics and transparency. There was acceptance that regulators will catch up and force this issue over time. Finally, we discussed the need for the digital leadership community to be as transparent as possible — boards will not see the need for risk mitigation measures if they do not see the impact of cyberattack elsewhere.

Thank you to everyone that came onto the call — it was full of real insight and highly educational. Thank you also to Joel Stradling and Ralf Helkenberg for bringing the analyst view and for informing us with current data. Our next session, on March 31, will focus on the ROI of digital transformation. We hope to see you all there.

Sharing