Why Are We Making Information Security So Hard?

Posted by Tim Femister on Jun 18, 2019 10:00:00 AM

I often hear from folks that in general, small and medium-sized businesses lack a strategy and proper controls, but the big guys have it covered. Well, it might surprise you to learn that 30% of large enterprises state they still lack an overall information security strategy – and we’re talking huge, $25+ billion companies. Overall, 44% of enterprises report they lack a fundamental strategy. I’ll tell you from experience that most companies overestimate their cyber readiness, which means that the real numbers are likely much, much higher than the reported ones.

Why is it so hard to develop a comprehensive information security strategy—and just as important, why are we making it so hard?

It’s certainly not due to perceived importance. Fortune.com published an article earlier this year titled U.S. CEOs Are More Worried About Cybersecurity Than a Possible Recession, based on a recent survey by Conference Board. The survey cited cybersecurity as the #1 external challenge for US CEOs. In fact, research firm IDC expects 75% of chief information security officers to start reporting directly to the CEO rather than up through IT. This landscape change reflects the perceived importance of cybersecurity, as well as the ongoing separation in lines of business and budgets.

Despite the unprecedented level of importance in the minds of corporate executives, organizations lack the ability to form comprehensive strategies to address their cyber risk. Why? It doesn’t help that we are currently in the midst of a global workforce shortage for cybersecurity professionals – one larger than we’ve ever seen before. As of October, the workforce gap has increased to 2.9 million unfilled jobs. This is impacting organizations in several ways:

  • Organizations are moving internal IT associates with limited current knowledge – and often limited new training – into security roles
  • The tenure of security associates is dwindling due to consistent higher compensation offers, thereby reducing tribal knowledge
  • Fast-growing companies are not able to keep pace with hiring security talent, resulting in consistently overextended teams

Here’s a real-life example: A while back, I met with a multinational organization with several thousand employees. They had only one person focused on information security. One person! That person’s background, though quite sharp, was also almost exclusively in telephony. This person had no industry certifications and was provided very limited professional development opportunities. This scenario is not uncommon. People are the greatest asset for most organizations, and in cybersecurity, they are just plain hard to find.

But let’s say an organization has a strong, competent team that has worked together for several years. The fragmented vendor landscape, pace of change, and journey to cloud are creating mass confusion and major complexity. This perfect storm of challenges impacts an organization’s ability to implement solid strategies. Further complicating matters, there are currently over 1,200 cybersecurity vendors in the market that all have unique solutions and ways to address cyber threats. Each and every one are calling potential customers every day touting their ability to mitigate critical threats. This makes it very difficult to form a straightforward strategy, because in the realm of cybersecurity, an organization could never describe itself as a one-vendor shop. No one single vendor can provide an all-encompassing architecture. This creates a substantial challenge for organizations, as they are forced to create a cybersecurity fabric from many vendors to address their environment.

This is a big area where ConvergeOne stands out. We have the formula and capability to perform deep analysis before prescription and establish inclusive architectures. The challenge with cloud is no different than what we discussed above. There is no single “cloud security solution” that completely secures your cloud environments. You need a multivendor, integrated architecture. This is why reports from research firms like Gartner consistently cite cybersecurity as the top challenge for going to the cloud.

The good news? Organizations don’t have to do it alone. We have substantial experience leveraging our proprietary, proven WAVES Methodology to help customers identify and address cyber risk. Our passion for helping customers precipitates everything we do.



In this on-demand webcast, ConvergeOne's Joe Vigorito shares insights about cybersecurity based on his 20 years of experience in the industry. You'll learn how to significantly improve in the battle of hackers vs. defenders, how to gauge the current state of your cybersecurity posture, and how to begin implementing best practices to improve your cybersecurity efforts. Take the first step to better protecting your organization by viewing the webcast.


Topics: Cybersecurity