Don’t become addicted to cybersecurity gambling

Winning a bet is one of life’s little pleasures. People make bets all the time. Many people even like to place wagers on the outcome of those bets. The trouble is gambling can become an addiction.

What many organisations don’t realise is just how often CISOs and CIOs are now routinely gambling on cybersecurity.

If we look at the Australian healthcare sector, for example, a member survey conducted by the Health Informatics Society Australia (HISA) last year, highlighted that 22 percent of organisations said they were continuing to store and manage healthcare data using end-of-life systems that had no vendor support. This means that any new vulnerabilities aren’t being addressed through vendor patches and updates.

Many respondents said they were slow to act even if patches were available, with 40 percent installing operating system patches and updates within 48 hours of release, and 31.8 percent only patching after the IT team has had a chance to conduct extensive testing.

Thirty-three percent of respondents performed a cybersecurity risk assessment at least annually, while only 65 percent had a formal business or governance plan that included managing cybersecurity issues.

With Australians putting their trust in healthcare services to safeguard their confidential information, the results of this research are quite alarming. The healthcare sector isn’t the only industry facing these challenges, but this example highlights the extent of the problem.

IT and cybersecurity leaders need to make risk evaluations every day. But the more complex the IT environment becomes the greater the tendency there is to try and minimise disruption.

Naturally, every time a CIO or CISO makes that bet and wins, there’s a natural tendency to push their luck. The trouble is with each bet to forego a patch or application update, the risk becomes greater.

Some CIOs and CISOs have been known to crack under that pressure. Others, however, become addicted to the adrenaline rush that taking risks always engenders.

Stakes are being reduced

The good news is that rather than gambling with cybersecurity, there is now a concerted effort to reduce the stakes.

Intel, for example, recently described its ongoing efforts to make it possible to create trusted zones of confidential computing from the edge to the cloud. It may take a while to replace all the inherently insecure systems deployed across the enterprise, but at the very least, new systems have the potential to be fundamentally more secure than their predecessors.

At the same time, there’s a shift toward building new applications using containers as part of the rise of DevSecOps. While the code inside those containers isn’t any more secure, the containers themselves are much simpler to replace. This will make the processing of patching applications much less disruptive than it is today.

Of course, the challenge most cybersecurity teams have today when it comes to deploying containers is that they lack visibility into those containers. Nevertheless, progress is being made even if it is slow in coming.

The goal CISOs and CIOs should be working towards is reducing the highs and lows of cybersecurity.

It may seem like replacing existing applications and systems is a costly way to go about solving cybersecurity issues. However, when the stress of gambling on cybersecurity is added to the losses a business will inevitably incur, the cost of those new applications and systems may not seem all that.

In the meantime, CISOs and CIOs would do well to remember that no matter how many times they win a bet, the odds over the long term are stacked against them.

About the author

Andrew Huntley is the regional director for ANZ and the Pacific Islands for Barracuda Networks. For more information, visit: https://www.barracuda.com/