As of April 1, 2024, all Ivanti operations in your region will be assumed by IVM EME. For sales questions please visit https://www.ivmeme.com
Inflection Point
Cybersecurity is finally getting the attention it deserves, yet critical hurdles remain — from reducing tech bloat to dismantling data silos. Getting it done will require closer alignment between the CIO and CISO.
Share article
First the good news. Ivanti’s latest research — a study of over 7,000 leadership-level executives, cybersecurity professionals and office workers — finds cybersecurity is widely viewed as a top organizational priority, even at the board level.
Plus, security preparedness is improving overall; 57% say they’re more prepared to defend against cybersecurity attacks compared to one year ago.
Another positive sign: Ivanti’s research shows boards are increasingly invested in cybersecurity outcomes. Fully 80% of those surveyed say their boards include someone with security expertise, and 86% report it’s a topic of discussion at the board level.
This board-level attention is critical because it positions cybersecurity not simply as a technology risk, but a critical business risk. In doing so, cybersecurity becomes a key consideration across a wide range of strategic, C-level decisions — from retooling supply chains and vetting acquisitions, to weighing whether to enter new markets.
A recent report from MIT Sloan Management Review underlines this view: “Complex, ever-evolving cybersecurity risks that are intertwined with business risks require the focused attention of at least one board director with deep technology and business knowledge and experience.”
Board-level attention is important because it positions cybersecurity not simply as a technology risk, but a critical business risk.
Despite all the positive signals about leadership and board participation, we wondered, “How deep does the support run?”
We asked both leaders and security/IT professionals how well organizational leaders understand key concepts in cybersecurity. After all, a nuanced understanding of key terms can be a proxy for — or precursor to — executive-level buy-in.
Fewer than half say their leaders have an advanced understanding of terms like vulnerability management (45%), and zero trust (44%). Among organizations with less mature cybersecurity programs, just 24-26% report leaders understood these concepts. The cybersecurity maturity scale is explained in section 03.
The Ivanti research also underscores an ongoing (and costly) point of friction: insufficient alignment between the CIO and CISO — and this isn’t just a leadership problem.
Fully 72% of professionals surveyed report IT and security data is siloed in their organization. And 41% say IT and security teams struggle to collaboratively manage cybersecurity.
The data shows that long-held, systemic tech and data silos elevate risk and slow transformation.
These long-held, systemic tech and data silos elevate risk and slow transformation. Nearly 2 in 3 (63%) IT and security professionals report that siloed data slows security response times and 54% say data silos weaken their organization's security posture.
Data silos can also mean investments in AI and automation fall short due to a lack of data accessibility and visibility.
Advanced AI solutions require large amounts of high-quality data for training and operation. When technology and data are highly siloed — as it is between IT and security inside many organizations — next-generation AI applications are dead on arrival. Any delay in leveraging AI to its full potential could have years-long ramifications for a company’s security posture and business position.
If cybersecurity wants to be a strategic partner to the C-suite, it must break down these barriers — both technological and cultural.
When technology and data are highly siloed — as it is between IT and security inside many organizations — AI investments are dead on arrival.
01
Organizations so far have a scattershot approach to AI. Most understand it poses risk to the organization, but too many have no strategy in place to react to AI threats. It’s time to change that.
Advances in AI have the potential to empower cybersecurity teams, but also — when wielded by attackers — to disarm them.
First, the positive. Cyber AI can protect organizations by:
But cyber AI can also put organizations at greater risk. For example, many organizations are using AI and automation to take over rote, repetitive tasks and reduce workloads — but if not given due consideration, these changes could lead to internal complacency, whether due to a false sense of security or diminished oversight.
And bad actors can leverage AI’s power and reach to further their nefarious ends:
Despite these risks, IT and security professionals are largely optimistic about the influence of AI on security. Nearly half (46%) believe it’s a net positive, and another 44% believe the impact will be “neutral” (neither positive nor negative).
Optimism aside, we wanted to know: what types of AI-powered attacks do IT and security pros believe pose the greatest threat? Among the most dangerous, they say, are generative adversarial networks, spoofing and tampering.
Third-party vendors also pose a high-risk entry point for AI-powered attacks, and our research shows more than half (53%) of organizations surveyed have not audited third-party vendors for risks related to gen-AI.
Despite the elevated threats, nearly 1 in 3 have no documented strategy in place to address generative AI risks.
There is no single answer to AI-powered threats. Even though training has been a first line of defense for phishing attacks in the past, just 32% say they believe training is “very effective” to protect against AI-powered social engineering attacks such as deepfakes. (Our study of office workers found that 54% were not aware that advanced AIs can now impersonate anyone’s voice.)
The speed with which gen AI will reshape the security landscape means any method that relies in any significant part on human detection will invariably fall short.
Organizations must combine existing employee education and training with the hypervigilance of AI-powered security tools. Tomas Chamorro-Premuzic, chief innovation officer at Manpower Group, offers similar advice in the Harvard Business Review: “This calls not for an either-or choice between relying on human or artificial intelligence to keep businesses safe from attacks, but for a culture that manages to leverage both technological innovations and human expertise in the hopes of being less vulnerable than others.”
Using a multilayered approach to AI-powered threats, organizations should optimize both operational improvements and tech-driven defense tactics. These include:
Cyber AI governance and oversight
Cyber AI defense and barriers
02
Security teams say they know when employees use their personal devices for work, a practice called BYOD (bring your own device). Ivanti’s research suggests otherwise.
Our research shows rates of BYOD are high — whether permitted or not.
According to IT and security experts, BYOD is practiced at 84% of organizations globally, though just 52% allow it. Among those that do not allow it, participation is still high; 78% say employees use their personal devices at work even when it’s forbidden.
Allowing — or quietly tolerating — BYOD doesn’t always translate to tracking and managing it. In fact, over 1 in 3 organizations that either explicitly allow BYOD, or simply look the other way, do not track BYOD or aren’t sure whether they do. This despite widespread recognition that the risk from BYOD is moderate or high.
Office workers confirm the problem is widespread. 81% of office workers admit they are using some type of personal device for work. Of those, half are logging in to networks and work software on their personal devices. And 40% say their employers don’t know about their activities.
Employees tell us they use their own devices primarily because they prefer the UX and reliability of personal devices, and because their employers don’t provide mobile phones.
Many organizations make the conscious trade-off to allow BYOD — accepting some small amount of added risk in exchange for greater visibility and control over those personal devices accessing the network. Even some agencies within the US federal government allow employees to bring their own devices in limited circumstances, and the National Institute of Standards and Technology (NIST) published guidelines and best practices for BYOD in its 2016 User's Guide to Telework and Bring Your Own Device Security.
Part of the problem is that many IT and cybersecurity teams currently have no effective way to track and manage employees’ personal devices at work. Just 63% are able to track BYOD alongside corporate-owned IT assets.
Employers are understandably reluctant to forbid BYOD because doing so will only invite higher rates of shadow BYOD. The solution lies in gaining better visibility and control over BYOD, and by doing so, minimizing the risks associated with it.
By using unified endpoint management (UEM), which includes features to manage employees’ personal devices, companies can do things like enforce strong passwords, set system access protocols (i.e., minimum necessary access), require data management software, force updates and, in a worst-case scenario, force lock-out and purge features. And because UEM solutions allow the employer to partition an employee’s phone or laptop, separating personal data from work data, these types of purges only affect work product, not personal data.
03
What does it take to run a best-in-class cybersecurity organization? What do the most advanced organizations do differently?
We asked survey-takers who work in cybersecurity to rate their organization’s level of cybersecurity preparedness — from basic (Level 1) to best-in-class (Level 4) — to develop a Cybersecurity Maturity Scale.
We then compared these cohorts — shown below — to learn more about the practices and behaviors of Level 4 organizations, the most advanced organizations we surveyed.
Advanced organizations (i.e., Level 4s) have exceptionally strong leadership buy-in. 80% say their organizational leadership is highly supportive and invested in the cybersecurity mandate — more than 2x the rate of less mature organizations.
Leaders at Level 4 organizations understand key security concepts — complex topics like vulnerability management and zero trust. In fact, they are at least 2.5x more likely to understand these terms compared to Level 2s, meaning they’re engaged, informed and aware.
CISOs inside advanced organizations are more likely to report directly to the CEO (51%) than report to the CIO (40%). Outside this cohort, CISOs more often report to the CIO. There is no single answer to reporting structures, but the difference is notable because it shows CISOs are much more likely to have a seat at the executive table in these advanced security organizations — and are more likely to be invited to conversations about organizational strategy and risk tolerance.
Advanced organizations have investigated and identified risk throughout their software supply chain. 73% of Level 4s say they’ve identified third-party systems/ components that are most vulnerable in the supply chain (and will cause the largest organizational impact if compromised) — nearly 3x the rate of less mature organizations.
Advanced organizations have a clear cyber AI strategy — both how to address the threat it poses and how to leverage it as an asset. Even though they’re more likely than others to be concerned about AI’s negative impacts, 61% also view AI as a net positive for security, compared to 28% of Level 2s.
80% of Level 4 organizations say they use a documented strategy to address generative AI vulnerabilities and risk (compare this to 48% of Level 2s). And Level 4s have more protective layers in place to guard against AI-powered threats — from endpoint management, detection and response to mobile threat defenses and anti-phishing training.
Invisible, unmanaged BYOD is a problem even for advanced organizations. Yes, Level 4 organizations are more likely to allow and manage BYOD than others we surveyed, but the figures aren’t exceptional. Nearly 1 in 5 advanced organizations say BYOD is not allowed but still tolerated. And 25% say they cannot currently track and manage BYOD.
Data silos between security and IT are a pervasive problem for all organizations. 71% of advanced organizations say their security and IT data is siloed, which is actually 8 points higher than Level 2 organizations. And 58% of Level 4s admit these silos slow down security response times. Data silos are a universal problem for CISOs and CIOs — and a particularly thorny one given the speed of investments in AI, which will require data integration and accessibility.
04
The next chapter: greater collaboration between CIOs, CISOs and the vendors they rely on.
Alignment, transparency and accountability will allow organizations to leverage the latest technology while driving a more secure workplace. So where must the security community focus to bring this next chapter to life?
Understanding the supply chain — and creating mutual accountability.
Given the sheer complexity of the software supply chain in the modern enterprise, it’s unsurprising that understanding supply chain risk is a consistent weak point among organizations surveyed. Only 46% of security professionals surveyed say they have identified the third-party systems that are most vulnerable.
Beyond supply chain audits, CISOs can partner with CIOs to make smart decisions about vendor selection — and ultimately reduce their organization’s overall risk profile — by holding vendors accountable for adherence to secure-by-design principles. Examples include having a published vulnerability disclosure policy, supporting authentication best practices and providing capabilities to gather evidence of intrusion.
CISOs can also work to reduce supply chain risk by collaborating with CIOs on clear timelines and processes for updating or replacing out-of-date or unsupported IT assets.
Dismantling data silos that slow response times and hide critical insights.
Inaccessible, incomplete and insufficient data is a key theme of this report, not only because of its prevalence, but because its effects are so far-reaching.
Looking to the near future, it’s clear that data accessibility and integrity are prerequisites for adopting the next-gen AI tools that will allow security teams to counter AI-enabled threat actors.
In the present, security teams continue to struggle with information gaps that hamper daily activities. Nearly half of the respondents surveyed say they have insufficient data on the software employees use to make informed security decisions. Building shared dashboards, developing integrations between IT and security tools: these steps are imperative for efficient and effective security operations.
And this responsibility isn’t solely on internal IT and security teams. Software providers hold the key to a crucial information gap — vendor risk data — cited by more than 1 in 3 respondents. It’s incumbent upon these providers to take ownership of security outcomes of their customers, disclosing vulnerabilities responsibly and issuing timely, correct and complete CVE records.
Targeting areas of friction to uncover operational improvements.
Data silos are perhaps the most glaring, but certainly not the only, impediments to better IT and security operations. Collaboration between these two teams can uncover persistent points of friction in regular processes, particularly those that cross between teams. Shared process improvements, underlaid by the right technology, alleviate that friction and, by extension, improve the organization’s security posture.
Automating repetitive activities can address challenges with handoffs, misaligned prioritization and slow response times, while minimizing human effort (a critical consideration given widespread talent shortages). For example, allowing automatic installation of patches, where supported by a vendor, is a simple but effective answer to patching pain points that might otherwise leave an organization exposed.
Tool proliferation is another area ripe for process improvement. Security professionals surveyed estimate that they use an average of 7.6 different security tools, meaning they are constantly switching context as they go about their daily jobs. Consolidating the tech stack — either eliminating redundant tools or creating integrations to allow for a single system of record — can minimize the small but consistent daily delays that together add up to major inefficiencies.
Aligning how the CIO and CISO think about and act on security mandates.
Repairing silos and gaining a holistic view of an organization’s risk landscape is a technology problem, but it’s also a leadership problem.
Enabling a productive workforce while also securing the organization’s data presents a tug-of-war between two vital priorities. These priorities can put the CIO and CISO at odds — or they can become shared priorities that help both parties build consensus on organizational risk tolerance.
From this place of alignment, leaders can collectively set and enforce expectations on security policy within their organizations. They can choose to work with technology providers that align with their values and take responsibility for their security outcomes. And they can present a united front to the rest of the executive team and to the board on technology decisions, advancing an agenda that supports the workforce and secures the organization in equal measure.
Ivanti breaks down barriers between IT and Security so that Everywhere Work can thrive.
See our products in action with a custom demo.
About the research
Ivanti surveyed over 7,300 executive leaders, IT and cybersecurity professionals and office workers in October 2023. Our goal: to understand today’s most pressing cybersecurity threats as well as emerging trends, opportunities and business strategies.
As part of the study we developed a Cybersecurity Maturity Scale. See more details in section 03. Collecting information through self-reporting has limitations, as people may be biased when evaluating their own efforts; however, we believe the findings based on this maturity model provide useful signals to the cybersecurity field. We ask that readers keep these limitations in mind.
This study was administered by Ravn Research, and panelists were recruited by MSI Advanced Customer Insights. Survey results are unweighted. Further details by country are available by request.
As of April 1, 2024, all Ivanti operations in your region will be assumed by IVM EME. For sales questions please visit https://www.ivmeme.com
Get key findings and survey results, including charts and graphs, in a presentation-ready format
