Cybersecurity: Corporate Boards Take a Reactive Approach to Security

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• Though more than 76% of the surveyed corporate directors say their boards had at least one cybersecurity expert member, only one-third highly regarded their board of directors’ ability to navigate a security disaster.

• Leadership is not as proactive as it should be in getting ahead of incidents. Fewer than half of the board of directors who participated in the study had conducted cybersecurity tabletop exercises in the last 12 months.

The Wall Street Journal and the National Association of Corporate Directors surveyed 472 directors across all industries about their current cyber risk management postures and their respective levels of preparedness. The survey comes in advance of new US Securities and Exchange Commission (SEC) requirements that public companies release uniform reports on cybersecurity risk management, governance, incident reports, and cybersecurity expertise within their board of directors. The survey results paint a mixed picture that reveals a fairly high level of expertise but a largely reactive approach to security.

Continue reading “Cybersecurity: Corporate Boards Take a Reactive Approach to Security” →

Threat Preparedness: Not Ready for Prime Time

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• IT security preparedness may not be where it should be, but organizations are keenly aware of the threat. Some 82% of those surveyed in Cisco Cybersecurity Readiness Index said cybersecurity incidents are likely to disrupt their businesses over the next 12 to 24 months.

• Nearly 60% had been hit by a security breach in the last 12 months.

Enterprise cybersecurity awareness is at an all-time high as challenges associated with protecting IT resources and organizations across most industries building out end user security training. However, even with increasing education, a surprisingly high percentage of organizations are still underprepared to mount a strong defense against cyber threats. In Cisco’s first ever Cybersecurity Readiness Index, based on metrics across five pillars of IT security (identity, devices, network, application workloads, and data) and the implementation stage of 19 security solutions with those, only 15% of the 6,700 were met the requirements to be considered as “mature” in their cyber readiness. Thirty percent were rated “progressive” in their preparedness. Forty-seven percent were categorized as formative in their security implementations. And eight percent are very early in their security journeys, with a beginner ranking.

Continue reading “Threat Preparedness: Not Ready for Prime Time” →

IBM Sued for Misleading Investors on Cloud Revenues

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• A lawsuit, filed on behalf of International Business Machines (IBM) shareholders, claims the tech giant intentionally misidentified revenues from legacy mainframe sales as coming from more cutting-edge products, including cloud.

• Originally filed in 2022 and withdrawn later in the year, the refiled suit alleges a number of executives, including several former CEO Ginni Rometty and the current chief executive officer Arvind Krishna, misled investors to believe that sales of its cloud, analytics, mobile, social, and security products (CAMSS) were making big gains.

A class action lawsuit filed against IBM in January 2023 on behalf of the company’s shareholders accuses 13 executives, including former chief executive Ginni Rometty and current CEO Arvind Krishna, of inflating cloud and other modern service revenue numbers by including mainframe figures in with cloud, analytics, mobile, social, and security products. Both the company and the individual executives were named in the suit. The suit posits the executives wanted to demonstrate momentum for more modern product areas in which the company had invested heavily in recent years, including its Watson AI platform. The suit seeks damages for investors who purchased IBM stock between January 18, 2018 and October 16, 2018.

Continue reading “IBM Sued for Misleading Investors on Cloud Revenues” →

Cyber Resilience: Strategies for Operational Continuity in a Troubling Threat Environment

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• Security resilience, defined as the ability to protect the integrity of every aspect of the business against threats and unexpected conditions, is a top priority for 96% of the 4,751 enterprise organizations surveyed in recent Cisco-sponsored research.

• Of the enterprises queried, 41% report that there had been a major security incident or loss within the last two years.

In a time where enterprise risk is omnipresent, IT professionals operate in a heightened state of alert. Organizations are cognizant of the fact that they are not only being targeted by cybercriminals, but that an intrusion is more likely than not to occur. With this in mind, Cisco conducted its third annual Security Outcomes research to get a sense of what is working for organizations as they strategize to defend their enterprises against a relentless threat environment. The high-level takeaway is that IT departments are making powering through security incidents (not just recovering from them) a top priority, with 96% of the 4,700 surveyed organizations calling cyber resilience a crucial concern for their business.

Continue reading “Cyber Resilience: Strategies for Operational Continuity in a Troubling Threat Environment” →

SMBs’ Cloud Security Struggles Exposed

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• Of the 4,984 IT professionals queried in a recent Sophos cloud security survey, 56% report a surge in attack volume and 53% say the negative effect of security incidents has been more severe in 2022 than 2021.

• Nearly two-thirds admit limited vantage point into their cloud assets and configurations was cited as a major contributor to their security woes.

The migration to the cloud has been especially challenging for small and mid-sized businesses that often lack the internal expertise necessary to make the transition successfully. Cloud security is one of the most vexing issues, with SMBs too often lacking the resources to consistently monitor what are often complex cloud environments. In a recent Sophos survey of 4,984 IT staffers in 31 countries, the security vendor has found a sharp increase in the volume, complexity, and negative impact of attacks in the last year. An alarming 67% report that their organizations have been subject to a ransomware demand.

Continue reading “SMBs’ Cloud Security Struggles Exposed” →

Cybersecurity Workforce Gap Leaves Many Organizations Underprotected

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• (ISC)² reports that while big gains have been made in hiring cybersecurity professionals around the world in 2022, the number of unfilled positions have expanded dramatically.

• Nearly 70% of the 11,779 professionals surveyed for the study say understaffing made their organizations vulnerable.

With the volume of threats on a seemingly endless upward trajectory, awareness of how critical it is to have effective security technology and personnel in place has been a long-time board-level concern. Unfortunately, lack of resources, particularly of the human variety, has plagued the security industry for years. Despite some major efforts across industries to bring in more security talent, there are still major gaps in coverage. In its 2022 Cybersecurity Workforce study, the non-profit security professional’s organization (ISC)² report an 11.1% increase in the number of security professionals in the workforce globally. This represents an addition of 464,000 security staff in the last year. Unfortunately, demand is outstripping supply. The number of unfilled IT security positions has more than doubled to a 26.2% increase in the last year, which translates to more than 3.4 million vacant spots.

Continue reading “Cybersecurity Workforce Gap Leaves Many Organizations Underprotected” →

Akamai Reports a Surge in Malicious Domains

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• Akamai has identified almost 13 million malicious domains per month in 2022, roughly 20% of all newly observed domains (NODs) that access the provider’s content delivery network (CDN).

• While it remains to be seen how threat actors will operationalize these, it is indicative of looming state-backed cyberwarfare attacks.

Security, cloud, and CDN provider Akamai offers some insights into a looming cyber threat. In a report published at the end of September 2022, Akamai says it has seen a significant uptick in the number of malicious NODs on its CDN. The company says NOD-based threat detection gives the company a means to assess the “long tail” of DNS queries to identify new threats in a very early phase. Akamai defines a NOD as a domain name queried for the first time within a 60-day window.

Continue reading “Akamai Reports a Surge in Malicious Domains” →

IBM Joins Forces with 20 HBCUs to Open Cybersecurity Training Centers

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• IBM added 14 Historically Black Colleges and Universities (HBCUs) cybersecurity partners as the company looks to help train and certify new industry professionals.

• The initiative is part of IBM’s broader, pro bono effort to foster science, technology, engineering, and math (STEM) programs in high schools and colleges.

At the National HBCU Week Conference in Washington DC (US), IBM said it is adding 14 new colleges and university partners to its program announced in May 2022 to train students to become cybersecurity professionals. This brings the total number of IBM’s partners to 20 schools in 11 states.

Continue reading “IBM Joins Forces with 20 HBCUs to Open Cybersecurity Training Centers” →

Verizon’s 2022 Payment Security Report Shed Light on Progress and Challenges in Data Protection

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

Summary Bullets:

• In 2020, Verizon compiled data from PCI DSS security assessors from Verizon and four outside sources to analyze the state of compliance and data security in advance of the release of the latest version of the PCI DSS specification – 4.0 – earlier this year.

• The results are encouraging with 43.4% maintaining full compliance as assessed during an interim audit in 2020 versus 27.9% in 2019.

While the need to meet regulatory requirements associated with data privacy is often cited as an investment driver in security technology, too often organizations struggle to maintain protections during the interim periods between Payment Card Industry Data Security Standard (PCI DSS) audits. The lack of consistent enforcement leaves organizations that handle sensitive financial information vulnerable to breaches. Continue reading “Verizon’s 2022 Payment Security Report Shed Light on Progress and Challenges in Data Protection” →

Realizing Real Returns from On-Demand Service Investment in Latin America

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

As the global economy faces serious headwinds from a challenging geopolitical climate, enterprises are turning to technology as a tool to help navigate rocky competitive terrain. This is particularly true in regions like Latin America where economic instability has long been a problem. Serious economic challenges came into sharp relief in the region when nominal GDP declined 16.3% in 2020 from $5.2 trillion to $4.5 trillion. Continue reading “Realizing Real Returns from On-Demand Service Investment in Latin America” →