The Security industry talks a lot about what could go wrong … but not so much about how to improve things
Research released today by The Security Transformation Research Foundation, ahead of the Cyber Security Leadership Summit in Berlin on 12-14 November 2019, highlights significant trends in the way the language of security has evolved across the last 2 decades.
The foundation analysed the semantics content of 17 annual “Global Information Security Surveys” from leading firm EY, spanning the period 2002-2018.
By looking at the frequency of keyword markers and how those frequencies have evolved over time, the research puts in evidence a clear demarcation between 2 periods.
While across the period up to 2009, the language is clearly dominated by considerations around risk and compliance, those considerations clearly subside during the following decade and are replaced by concerns around threats and incidents.
A language bias analysis also highlights that while the language during the first decade had a clear positive and managerial bias, again the trend changes across the last decade and the language becomes considerably more negative and more technical.
Concerns around the Cloud make a sharp outburst at the junction of the 2 decades and dominate considerations in 2010, 2011 and 2012 then seem to vanish into normality and acceptance.
A sense of realisation seems to dominate the junction between the 2 decades: The realisation that this is no longer JUST about Compliance and Risk, that Tech is changing, threats are real and incidents do impact Business.
The business language in the surveys also sharpens throughout the period, but considerations around execution, people, culture and skills clearly dwindle.
Overall, as the foundation puts it, “the Security industry tends to talk a lot about what could go wrong … but not as much about could be done to fix things”, with keyword markers such as risk, threat, compliance or incident 3.5 times more frequent across all surveys than governance, budget, delivery, priority, culture or skill.
As we look towards the next decade, the industry must pivot towards a clearer execution focus: Security cannot be seen any more JUST as a matter of risk appetite or as a box-checking exercise; equally, constant firefighting is no longer sufficient as the “when not if” paradigm takes root in the boardroom and senior executives demand real results, often in exchange of very significant investments.
Security must become a delivery imperative, and where existing maturity levels are low, the CISO must become a true transformational leader.
Click here to download the full white paper on the Security Transformation Research Foundation website.
The Security Transformation Research Foundation is a dedicated think-tank and research body aimed at approaching Security problems differently and producing innovative and challenging research ideas in the Security, Business Protection, Risk and Controls space.