New research released by Tanium has found that CIOs and CISOs in the UK have held back from implementing critical measures that keep them resilient against disruption and cyberthreats. Over eight out of 10 (84%) respondents said that they have refrained from adopting an important security update or patch due to concerns about the impact it might have on business. In fact, over two fifths (41%) said they had done so on more than one occasion.
The Global Resilience Gap study of 500 CIOs and CISOs across the US, UK, Germany, France and Japan, in companies of 1000+ employees explores the challenges and trade-offs that IT operations and security leaders face in protecting their business from a growing number of cyberthreats and disruptions. The study also explores the internal challenges that are holding back most technology leaders from achieving full visibility and control of their IT environments.
Lack of visibility and control across networks
The study discovered that a lack of visibility across endpoints – laptops, servers, virtual machines, containers, or cloud infrastructure – is preventing organisations from making confident decisions, operating efficiently and remaining resilient against disruptions. Over a quarter (28%) of UK respondents said that departments and business leaders work in silos, leaving them with a lack of visibility and control over IT operations. And this has directly affected the business, with the majority (83%) of UK CIOs and CISOs having found out that a critical update or patch they thought had been deployed had not actually updated all devices, leaving the business exposed as a result.
IT security and operational trade-offs
As well as visibility issues, the study revealed the IT security and operational trade-offs that CIOs and CISOs make due to wider business pressures. Ninety five percent of UK respondents said that they have to make compromises in how well they are able to protect their organisations from disruptions to technology, including cyberthreats and outages. When asked about the key reasons for making these compromises, 35% cited pressure to keep the lights on, with almost a third (31%) suggesting that being hamstrung by legacy IT commitments restricted their security efforts. Additionally, nearly a third (30%) said that a focus on implementing new systems takes precedence over protecting existing business assets and over a quarter (28%) stressed that inconsistent and incomplete datasets was a key driver.
Fragmented internal priorities
A lack of understanding of the need for business and technology resilience among other leaders across an organisation was identified as a key factor in pressuring CIOs and CISOs to make compromises in their efforts to maintain resilience against disruption.
Over half (56%) of the CIOs and CISOs surveyed said that they face challenges because other business units do not grasp how important technology resilience is to the company. While, almost half (47%) claimed issues arise as other business units don’t factor business resilience into their strategy or plans.
These divergent priorities are leading many of the survey respondents to worry about the potential impact it will have. Almost half (46%) are concerned about a loss of customer trust due to the need to make security compromises, while over a third (34%) worry about potential loss of customer data. Nearly a quarter (24%) agreed that a lack of attention given to business resilience caused them to worry about creating an inaccurate picture for stakeholders around the organisation’s resilience to disruptions.
Matt Ellard, Managing Director, EMEA, at Tanium, commented: “As leaders, CIOs and CISOs face multifaceted pressures across the business to remain resilient against disruption and cyberthreats. They must maintain compliance with an evolving set of regulatory standards, track and secure sensitive data across computing devices, manage a dynamic inventory of physical and cloud-based assets, all while fulfilling an increasingly common executive mandate to make technology an enabler for business growth. But in fragmented environments, where organisations use a range of point products for IT security and operations, there are regular compromises taking place among these priorities.
“Our research shows that a new approach is needed to achieve visibility and control of distributed, dynamic IT environments. As organisations look to build a strong compliance and security culture, it is essential that IT operations and security teams unite around a common set of actionable data for true visibility and control over all of their computing devices. This will enable them to prevent, adapt and rapidly respond in real-time to any technical disruption or cyberthreat.”