Key Data Points from Syncsort’s Annual Security Survey – Part 1
This article on Syncsort’s Annual Security Survey was originally published in Enterprise Tech Journal. Part one of this two part post covers IT priorities, top security challenges, regulatory requirements, and confidence in a security program.
In 2018 we saw multiple security regulations become effective – most notably the European Union’s General Data Protection Regulation (GDPR). As a result, businesses already grappling with increasingly sophisticated cybersecurity attacks now must contend with additional regulatory requirements.
To check the pulse of IT teams managing security, Syncsort surveyed over 300 IT professionals on the state of security in their organization – and it’s not surprising that the “growing complexity of regulations” was ranked as the #1 security challenge for 42% of the respondents in the year ahead.
The survey included IT professionals who are familiar with the IBM i platform to understand their top challenges, strategies, technologies, and best practices regarding the security of that environment and the business-critical applications and data that reside upon it. Not surprisingly, the results for organizations with IBM i systems closely mirrored those with other systems including IBM z. We hope the results will be illuminating to all IT professionals who will be administering or otherwise overseeing security at their organization during 2019. Here are the IBM i specific results (see figure 1).
Perhaps it’s not surprising that security is the most frequently reported IT priority among all respondents for the coming year (see figure 2). The increasing sophistication of attacks and the expanding number of compliance regulations have many companies giving added attention to security. In fact, IDG in a recent CIO magazine poll revealed that the technology category expected to see the largest budgetary increase at companies during 2019 is cybersecurity. The results of the same survey cited 83% of CIOs as saying that security breaches could have an impact on their organization during the next 12 months—a rather sobering statistic.
Top Security Challenges
When respondents were asked their top three security challenges, the results were diverse, with many you might expect at the top of the stack. “Growing complexity of regulations” (25%) and “Increase in sophistication of attacks” (16%) are two of the top concerns, which perhaps isn’t surprising. Topping the list, “Adoption of cloud services” (26%), is reflective of the statistic in the previous section that shows cloud computing to be among the top IT priorities during the coming year. A company’s utilization of cloud services certainly comes with its own unique security challenges. Beyond the cloud, the chart points to similar challenges associated with securing data that exists outside the snug confines of the IBM i—for instance, “Data being increasingly distributed” (23%) and “Securing data from new internal/external sources” (20%). Not far down the list are other challenges related to staff, budget, training, and complexity.
As indicated in the previous section, the growing complexity of compliance regulations was cited as the second biggest challenge related to IT security. Underscoring this is the fact that 34% of respondents said in another of our survey questions that within the past three years their organizations became subject to one or more new government or industry regulations that include cybersecurity requirements (see figure 3).
Given the industries corresponding to common verticals running IBM i, it certainly makes sense that SOX, HIPAA, and PCI-DSS are among the regulations most cited as affecting the companies of respondents. Near the top is also GDPR, a regulation that went into effect for many companies during 2018. The number of companies needing to comply with GDPR is large because it affects most companies that do business in the E.U. and/or keep data on E.U. citizens.
Most regulations keep evolving to address new threats—thus the concern about their growing complexity—and there’s likely to be no slowdown in the rollout of new laws. New York just launched strict new data protection regulations (23 NYCRR 500) that affect financial services companies operating in the state, and other states are threatening to follow suit. The California Consumer Privacy Act goes into effect in 2020 and will compel companies there to protect sensitive consumer data in similar ways to GDPR. And there is talk in Washington, D.C., of possible legislation at the national level to address data protection and privacy concerns.
Confidence in Security Program
When looking at the level of effectiveness of corporate IT security programs across survey respondents, at first glance it appears confidence levels are fairly high with 84% saying they are either very confident (30%) or somewhat confident (54%) (see figure 4). However, the large percentage of those in the “somewhat confident” category is a possible cause for concern. In light of increasing security challenges and the enormous cost and disruption of a breach, it begs the question, is being somewhat confident sufficient? The security survey data that’s covered in the following pages of this article, particularly around the occurrence of breaches and the frequency/type of security audits, is revealing in this regard as it points to a possible disconnect.
Take a look at part two where we cover security breach impacts, the frequency and effectiveness of security audits, present and future investments in security, and some recommendations on areas to strengthen.
For more on security, make sure to check out our white paper on The Essential Layers of IBM i Security.