How prepared to manage threats are chief information security officers (CISOs) and others responsible for data security in business organizations across the United States and the United Kingdom? If the results of a new survey are to be believed, not really all that prepared.
As Healthcare Informatics Associate Editor Heather Landi reported yesterday, the results of a recent survey on the subject have just been released, and they are cause for concern. As Landi reported, “A recent survey of IT information security decision makers found that 68 percent of respondents have, at best, only modest confidence in their ability to manage digital threats, and a quarter of healthcare information security decision makers cited little to no confidence in their ability to assess digital risks. RiskIQ, a San Francisco-based digital threat management solutions company, released new independent research on the state of digital defense, with the predominant finding being organizations believe their digital transformation efforts have outpaced security capacity. The survey, called the ‘2017 State of Enterprise Digital Defense Report,’ includes a range of industries, including healthcare and pharmaceutical, as well as financial services, banking, technology, retail, manufacturing, publishing and media, entertainment and hospitality, and consumer goods.”
As our news article noted, “The research, conducted by IDG Connect, a Framingham, Mass.-based research company, examines the current landscape of digital threats and the maturity of defenses to protect an organization’s digital presence. The findings quantify the security management gap and business impact of external web, social, and mobile threats. Survey respondents included 465 IT information security decision makers in organizations with more than 1,000 employees in the U.S. and U.K.” Further, in conducting the survey, RiskIQ researchers wanted to get IT security leaders’ perspectives on the challenges facing all industries, and how well they felt they were doing in rising to meet those challenges.
Here's the most worrisome part of all of this. As Landi reported, “About a third of respondents have significant confidence in their ability to improve, but it discovered a very significant number of respondents—about a fifth—that have zero to little confidence that things are on the up. And over two-thirds (68 percent) have, at best, modest confidence to manage digital threats. What’s more, 69 percent cited no to modest confidence to mitigate or prevent external digital threats, and 70 percent of respondents have no to modest confidence in reducing their digital attack surface, expressing the least confidence in threats against web, brand, and ecosystem assessment.”
And, when it comes to healthcare, “Respondents in the healthcare and pharmaceutical sector felt particularly at a loss with almost a quarter (24 percent) saying they felt little to no confidence in their ability to assess digital risks, according to the survey findings.”
Now, let’s put this into perspective: while 24 percent of respondents in the healthcare and pharmaceutical sector felt “little or no confidence in their ability to assess digital risks,” across industries, 70 percent of respondents said they felt “no to modest confidence in reducing their digital attack surface,” while 69 percent “cited no to modest confidence to mitigate or prevent external digital threats.” To be fair, the IDG folks did not offer a trans-industry statistic that was an apples-to-apples comparison with that 24-pecent figure from healthcare. But clearly, the levels of confidence around data security are low across industries. What’s more, one must also keep in mind that British healthcare organizations are different from American ones, in that they are governed by the National Health Service of the U.K., which is very different from how American hospital organizations are governed.
Other results from the survey probably speak to the size and scope gap across industries, not only healthcare. As IDG’s summary noted, “Larger companies felt that they were better able to update control systems and collaborate across departments, perhaps showing the benefits of scale”; while “Smaller companies felt best able to inform others about the status of external attacks, perhaps reflecting the benefits of having a smaller base to worry about.”
Still, the IDG folks noted that “Digital threat management appears more progressive among organizations in financial services, manufacturing, and consumer goods, as expressed by overall expenditure.” That analysis matches everything we know about the stages of development of data and IT security across different industries, with the healthcare industry coming late to the issue—decades after the banking and financial services industry, the consumer retailing industry, and even the transportation and hospitality industries, had already moved to strategize around and implement comprehensive data and IT security strategies.