It is more critical than ever for companies in Singaporeto refresh the technologies and solutions in their cybersecurity infrastructure, according to findings of the Security Outcomes Study Volume 2, released by Cisco. The study highlights that almost half of cybersecurity technologies (47%) used by companies in Singapore are considered outdated by security and privacy professionals working at these organizations.
The study is based on a global survey of more than 5,100 security and privacy professionals across 27 markets. This includes more than 2,000 professionals from 13 markets in Asia Pacific. The study aims to determine the most impactful measures teams can take to defend their organizations against the evolving threat landscape.
Respondents, security and privacy professionals from companies in Singapore, shared their approaches to updating and integrating their security architecture, detecting and responding to threats and staying resilient when cyber incidents and attacks happen.
Aside from perceiving that their cybersecurity technologies are outdated, respondents from Singapore also consider their cybersecurity infrastructure unreliable and complex, with 44% and 55% respectively highlighting this in the survey.
The good news, though, is that companies in Singapore are investing in modern cybersecurity technologies and approaches to address this and improve their security posture. More than nine in 10 (92%) respondents in Singapore said their company is investing in a ‘Zero Trust’ strategy, with 52% saying their organization is making steady progress with adopting it, and 40% saying they are at a mature state of implementing it.
In addition, 87% of the respondents said their company is investing in Secure Access Service Edge (SASE) architecture, with 46% saying they are making good progress with adopting SASE, while 41% said that their implementation is at mature levels.
The SASE architecture is widely seen as an effective way to addressing these challenges. Simply put, SASE combines networking and security functions in the cloud to deliver secure access to applications anywhere users work.
Zero Trust, meanwhile, is a simple concept that involves verifying the identity of each user and device every time they access an organization’s network to reduce the security risk.
These two approaches are key to building a strong security posture for companies in the modern cloud-first and application-centric world. Organizations today are facing multiple challenges while operating in this environment including, complexity in connecting users to applications and data across multiple cloud platforms, inconsistent security policies across disparate locations and networks, difficulty in verifying identity of users and devices, and lack of end-to-end visibility of their security infrastructure, among others.
However, with the implementation of Zero Trust and SASE, organizations are empowered to overcome these obstacles as they are equipped with high visibility across users and applications and hold the capabilities to detect and respond to threats efficiently.
The value of cloud-based security architectures cannot be overstated. According to the study, organizations that have mature implementations of Zero Trust or SASE architectures are 35% more likely to report strong security operations than those with nascent implementations.
“Businesses across the globe, including here in Singapore, have seen a huge change in their operating models, driven in large part by the pandemic. As they grapple with changes like a distributed workforce and digital-first interactions, it is imperative for them to be able to connect users seamlessly to the applications and data they need to access, in any environment and from any location. They need to achieve this while being able to control access and enforce the right security protection across networks, devices, and locations,” said Kerry Singleton, Managing Director, Cybersecurity, Asia Pacific, Japan and China at Cisco.
Other key findings of the study include:
- Organizations that leverage threat intelligence achieve faster mean time to repair (MTTR), with rates 50% lower than those of non-intel users.
- Organizations with integrated technologies are seven times more likely to achieve high levels of process automation. Additionally, these organizations boast more than 40% stronger threat detection capabilities.
- Automation more than doubles the performance of less experienced staff, supporting organizations through skills and labor shortages.
- As the threat landscape continues to evolve, testing business continuity and disaster recovery capabilities regularly and in multiple ways is more critical than ever, with proactive organizations 2.5 times more likely to maintain business resiliency.
- Organizations with board-level oversight of business continuity and disaster recovery efforts that have operations residing within cybersecurity teams perform best.
Organizations compromise on cybersecurity in favor of other goals
Meanwhile, research by Trend Micro Incorporated highlights another dimension to the issue, revealing that 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals. Additionally, 82% have felt pressured to downplay the severity of cyber risks to their board.
“IT leaders are self-censoring in front of their boards for fear of appearing repetitive or too negative, with almost a third claiming this is a constant pressure. But this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure,” said Bharat Mistry, UK technical director for Trend Micro.
“We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who, in reality, are both fighting for the same cause.”
“IT decision makers should never have to downplay the severity of cyber risks to the Board. But they may need to modify their language so both sides understand each other,” said Phil Gough, Head of Information Security and Assurance at Nuffield Health.
“That’s the first step to aligning business-cybersecurity strategy, and it’s a crucial one. Articulating cyber risks in business terms will get them the attention they deserve, and help the C-suite to recognise security as a growth enabler, not a block on innovation.”
The research reveals that just 50% of IT leaders and 38% of business decision makers believe the C-suite completely understand cyber risks. Although some think this is because the topic is complex and constantly changing, many believe the C-suite either doesn’t try hard enough (26%) or doesn’t want (20%) to understand.
There’s also disagreement between IT and business leaders over who’s ultimately responsible for managing and mitigating risk. IT leaders are nearly twice as likely as business leaders to point to IT teams and the CISO. 49% of respondents claim that cyber risks are still being treated as an IT problem rather than a business risk.
This friction is causing potentially serious issues: 52% of respondents agree that their organization’s attitude to cyber risk is inconsistent and varies from month to month.
However, 31% of respondents believe cybersecurity is the biggest business risk today, and 66% claiming it has the highest cost impact of any business risk – a seemingly conflicting opinion given the overall willingness to compromise on security.
There are three main ways respondents believe the C-suite will sit up and take notice of cyber risk:
- 62% think it would take a breach of their organization
- 62% it would help if they could better report on and more easily explain the business risk of cyber threats
- 61% say it would make an impact if customers start demanding more sophisticated security credentials
“To make cybersecurity a board-level issue, the C-suite must come to view it as a true business enabler,” said Marc Walsh, Enterprise Security Architect at Coillte.
“This will prompt IT and security leaders to articulate their challenges to the board in the language of business risk. And it will require prioritized, proactive investments from the boardroom – not just band-aid solutions following a breach.”