Those meetings took a year. "Now, when we talk about a high risk—whether it's a physical security risk or an IT risk or a hiring a person—we all know what 'high' means," McCreight says.
To the Cloud
Cloud computing is changing how many organizations view risk. This year, 47 percent of respondents report using cloud computing, and of those using cloud, 59 percent believe their security posture has improved, yet only 18 percent include rules about cloud in their security policies. Software as a service remains the most widely adopted cloud service, staying steady at 69 percent adoption, and platform as a service shows the strongest year-over-year growth, increasing from 29 percent to 37 percent.
Martin Sandren, enterprise architect for security at Blue Cross Blue Shield, explains how he believes the insurer has dramatically reduced risk by moving to the cloud. "We have made a huge shift to cloud—about 80 percent of all the systems we build today are cloud-based. Almost nothing goes into our internal systems anymore," Sandren says.
This move, Sandren explains, has helped mitigate a considerable amount of the risk that results from the security practices of its smaller partners. "As a payer organization, we have a lot of small suppliers who run with a very small IT operations, but they're really good at a specific business task. This is a potentially risky situation, especially when sharing regulated data," Sandren says.
"For these businesses—and that's a lot of that [type of] business—the cloud has made it much easier for them and us to manage risk," Sandren adds. Before, these 10-person companies usually ran off a couple of servers sitting under someone's desk. "Now, these same small businesses have their servers hosted on a cloud provider that we vetted. Suddenly they have the same kind of physical security we find in an enterprise data warehouse. That's helped us a lot in quantifying risk," he says.
Steve Phillips, CIO at Avnet, the $25.5 billion electronics distributor, also puts cloud vendors through a vigorous vetting of their security capabilities and maturity. "You can't outsource risk or reputation damage should something happen," says Phillips. "That's why we put our providers through a serious evaluation—not a simple check-the-box exercise—to make sure they have the capabilities to provide the level of security we expect," Phillips says.
To ensure that IT and cloud service providers live up to their claims, Phillips also makes sure that their contracts include certain clauses, such as one requiring the provider to relay information on any breaches and another giving Avnet an escape hatch if the breach be serious enough to warrant a termination of the relationship.
A Step Behind
Why are the costs of data breaches rising despite the substantial increase in security investments among the enterprises surveyed? Certainly some of it can be attributed to the rising costs of responding to breach disclosures, increased threats, and a higher priority placed on cybersecurity. However, a big part of the rising cost is that too much emphasis is placed on preventing and spotting attacks, when organizations should also be developing the ability to respond when the inevitable occurs.
Sign up for MIS Asia eNewsletters.