Board’s disconnect with cloud security concerning
Cloud security doesn’t appear to be a board-level problem. In fact, only 45% of the respondents of a recent PWC report say their corporate board actively participates in setting security budgets.
“This is very concerning,” said Shaun Searle, country manager for African regions at Redstor, speaking yesterday at the ITWeb Security Summit 2019.
“If the board isn’t talking about (security), thinking about it, and taking action, it will be extremely problematic to get budget allocated, to be agile enough to resolve issues quickly, and plan for potential financial emergencies.”
All too often, he said, he’s worked with IT decision-makers who have taken the time to investigate and identify areas of data risk, then collected and summarised various solutions, often over several months, only to have the budget declined or delayed to the next financial year.
Citing another study by consultancy firm EY, Searle said more than three-quarters of organisations say a significant data breach would be a catalyst for increased spending. This, he added, feels like closing the stable door after the horse has bolted.
Even more frightening is that some 64% of organisations believe an attack that does not cause harm would not trigger budget increases.
“What’s the takeaway? Cloud security doesn’t seem to be an issue that concerns either business or finance managers.”
The reasons why cloud security is so important is the explosion of data. “Data is everywhere – some in the cloud, some onsite, some important and some not. Our approach to data management, whether cloud, onsite or hybrid, is to discover, manage and protect. To achieve this, we need to protect any application, OS or database, across multiple service providers and sources, with a view into your landscape from a single control centre.”
Incident response plans missing
Searle also made reference to an IBM study that found that 77% of organisations do not have a formal cyber security incident response plan in place.
“This one shocked me to my core. It means that nearly eight out 10 people sitting in this room don’t actually have a plan should a major cyber security incident happen.”
In his experience, organisations tend to believe they have the necessary tools to recover from a data breach, but without the plan and input from professionals, `it’s a little like getting a flat tyre and not knowing in what order to use the tools’.