In last year’s IDC FutureScape research we uncovered many interesting outcomes from the many people surveyed, and one that stood out for me was this:
70% of CEOs of large European organisations will be incentivised to generate at least 40% of their revenues from digital by 2025, driving more than €4 trillion of gross value added (GVA) in Europe.
This statistic speaks to a fundamental change in the expectations of boards and investors about the business models they will be relying on in future. Maybe you think 40% is too high or too low. I’m not sure it matters too much. If it’s 25% or 50% of revenues from digital services it’s still seismic.
Given that the change is happening, the effects on many areas of business will be profound, and this particularly applies to cybersecurity and risk. If organisations are struggling to juggle risk and cost today, with boards often lacking the experience and knowledge to make informed decisions about investment in cybersecurity, how does that look when a significant portion of their business depends entirely on digital services?
At IDC we talk about this in terms of trust. Organisations must be able to trust other organisations and entities to achieve digital transformation that is efficient and effective. We are interconnected at an unprecedented scale, and this is only going to increase in complexity, volume and speed.
The Arrival of Zero Trust
One of the tools that we now have in our kitbag is the concept of “zero trust”. In this model, the technical environment is protected from its broadest to most granular levels. Rather than assuming that “border controls” will do the job and that users moving within internal systems are verified, no level of trust is automatically granted to end users or any computing or network resources.
The “border controls” or perimeter-based systems that we relied on in the past were developed to protect centralised resources. This is manageable when those resources are limited in number, but the evolution of the networks, software and hardware tools, and the locations that we access these from, has led to this becoming far too vulnerable to compromise.
Zero trust evolves the security model — there is no longer an “inside” and an “outside” and perimeters are used on a much smaller scale to separate networks and individual technical components. This inevitably creates a massive amount of data to manage, with potential attacks and threats being reported from these many smaller perimeters, so investment is needed in tooling that enables security teams to know what is important and what can be ignored. There are also downsides in terms of latency and complexity that must be considered when employing this model.
A Proliferation of Tools
Alongside this important concept are specific security issues and tools related to cloud storage and backup, mobile and IoT devices, multifactor authentication, social engineering and phishing — the list goes on. Of course, there is an enormous industry that has grown around this and the number of tools to select from is bewildering. We are currently seeing the growth of what are called XDR (extended detection and response) products, which in very simple terms are platforms for a collection of tools and workflows that provide security teams and the businesses they serve with simplified, unified data that can be more easily managed. Whether this reduces the confusing array of tools and techniques remains to be seen. You can join us to explore this question by coming to the Think Tank later this month (details below).
Moving on from the technical side of cybersecurity, we also have to consider the areas of privacy and regulation. As we collect and share more data, so we become of more interest to regulators keen to protect citizens from harm, whether that be unintentional sharing of sensitive data or unauthorised use of data by those operating outside the law.
Regulation Continues to Adapt
A good example of the way this landscape is evolving came to my notice recently, which was the French independent regulator CNIL ordering a website operator to remove Google Analytics from its systems to stop data being transferred to the United States. This is a clear statement of intent, in cooperation with European counterparts, that the Schrems II judgement regarding the Privacy Shield is going to bite in quite significant ways. Collecting and managing data is likely to become more expensive, which may challenge some of the business models envisaged in the 40% of revenues mentioned at the top of this article. In the world of machine learning and artificial intelligence, the proposed EU AI Act will create a new regulatory framework for the use of these tools, the ramifications of which are being carefully watched. Our analysts at IDC note that AI systems are defined quite broadly in the proposal, with obligations on providers of AI systems and users.
Even inside our organisations, privacy must be carefully managed. Microsoft ran into trouble last year as it showed the first cut of its “productivity” analysis tools in the Office suite. Now branded Microsoft Viva with many of the features it showed rolled back, it is spending a lot of time reassuring people that such numbers are only available to individual employees, and providing guidance about how to use this data.
For the digital business, cybersecurity is a fact of life that must be managed in order to prosper. The challenges will evolve as we become more interconnected and the digital leader has to balance speed, efficiency and security to be successful in this environment. In our Think Tank this month we will be discussing these issues with the help of our IDC analysts who will provide more detail around the significant trends and no doubt some real-world insight from our community members.