Most organizations are in a state of denial when it comes to IT security. In fact, most of them think they’re doing a good job on IT security even after they’ve been a breached. A new survey of 400 IT leaders in the U.S. and United Kingdom conducted by Sapio Research on behalf of SolarWinds MSP finds that 87 percent of respondents are still confident in the IT security technologies and processes they’ve implemented — even though 71 percent admit they’ve experienced a breach in the past 12 months.
Significantly, 77 percent of those that admitted having experienced a security breach, a full 77 percent acknowledged they had suffered a tangible loss, such as monetary impact, operational downtime, legal actions, or the loss of a customer or partner. Of course, hope springs eternal. A total of 59 percent of the respondents said they believe they are more secure today than they were 12 months ago.
7 deadly IT security sins
SolarWinds MSP suggests there are seven forms of IT security hubris that go before the organizational fall. They include:
- Inconsistency in enforcing security policies
- Negligence in the approach to user security awareness training
- Shortsightedness in the application of cybersecurity technologies
- Complacency around vulnerability reporting
- Inflexibility in adapting processes and approach after a breach
- Stagnation in the application of key prevention techniques
- Lethargy around detection and response
MSPs encounter the dichotomy that exists between internal organizational views of IT security and reality every time they engage a new customer. Because they need to prove to the customer that there is indeed an IT security issue, the MSP often winds up committing resources to penetration testing. The customer will only pay for those services as part of a larger services engagement if the MSP can successfully penetrate the prospective customer’s IT security defenses. Most of the time the MSP is well able to compromise those defenses, but devoting resources to do that testing takes away from other projects that are already generating revenue.
Opportunities for MSPs
The good news is that the survey finds that 61 percent of respondents said they expect to substantially boost IT security spending. That level of increase would not be happening if they were totally confident in their abilities. The challenge MSPs face is convincing those organizations to redirect more of that spending in the direction of a service rather than additional products and internal IT staff. Of course, most companies these days can’t afford to hold on to IT security professionals for very long even if they can find them. That gives MSPs, which generally pay better than internal IT organizations, a strategic advantage when it comes to attracting the best IT security personnel.
IT leaders, of course, are still reluctant to be perceived as needing help from an external IT service provider. But when it comes to IT security just about all of them know deep down that they and their organization are way out of their collective depth.