One of the biggest issues any managed security services provider (MSSP) regularly encounters is, despite all evidence to the contrary, many IT and cybersecurity professionals remain convinced they have all the tools and processes needed to secure their IT environments.
A survey of 1,020 IT leaders conducted by Gigamon, finds half of the respondents (50 percent) are either somewhat confident, or completely confident, that their cloud computing environments and IT infrastructure are sufficiently secured.
However, a full 90 percent also concede their organization has experienced a cybersecurity breach in the last 18 months, with just under a third of those breaches not being discovered by internal cybersecurity and IT operations teams but rather data being found on the Dark Web.
More troubling still, 50 percent of the IT and security leaders surveyed admit they lack confidence in knowing where their most sensitive data is stored and how it is secured. In general, survey respondents also admit to being concerned about unexpected blind spots (56 percent), legislation (34 percent), attack complexity (32 percent), and the ongoing skills gap (20 percent).
Pride goes before the fall
The survey makes it plain that many IT leaders are overconfident in their ability to defend their organizations from cyberattacks successfully. That, of course, creates a major challenge for MSSPs that have invested heavily in acquiring cybersecurity skills and resources. It’s usually only in the aftermath of a major breach that IT leaders become more willing to consider the need for additional help. Until that moment, cybersecurity appears to be yet another instance where pride goes before the inevitable fall.
Fortunately, a wave of forthcoming legislation may soon change a lot of attitudes. A proposed Cyber Resilience Act, being negotiated by the member states of the European Union, seeks to require organizations that sell hardware platforms that connect to the Internet to ensure that both their devices and software comply with best cybersecurity practices. In the U.S., meanwhile, a National Cybersecurity Strategy proposal put forward by the Biden administration seeks to hold organizations that collect data or build software more accountable for breaches.
Pending legislative action creates an opportunity for MSSPs
While both proposals are a long way from becoming the law of the land anytime soon, they are indicative of a changing attitude. Governments around the world are concluding that the only way to ensure better cybersecurity is to require it. Previous recommendations made by government agencies around the world are soon going to give way to actual mandates. Business leaders, despite assurances from IT leaders, are going to look to further shore up cybersecurity as part of an effort to limit liability.
Savvy MSSPs will, of course, start conversations with customers today about the impact these legislative proposals will have on cybersecurity tomorrow. The current probability that an organization is going to experience a breach that runs afoul of these proposals is high. The proposals create an opportunity for MSSPs to have a conversation about cybersecurity that isn’t driven by an immediate crisis but shines a light on the current state of cybersecurity that most organizations want.
At the very least, it puts internal IT leaders on notice that there will be major legal consequences if a breach occurs that could have been prevented with just a little more vigilance.
Photo: Vasileios Karafillidis / Shutterstock
