Complexity is the enemy of security

Larry Ponemon

We are pleased to present the findings of The Cost & Consequences of Security Complexity, sponsored by MobileIron. The purpose of this research is to understand the reasons behind the growing complexity of companies’ IT security architecture and how it is affecting their ability to respond to cyber threats. We surveyed 589 individuals involved in securing, overseeing and assessing the effectiveness of their organizations’ information systems or IT infrastructure.

While some complexity in an IT security architecture is expected in order to deal with the many threats facing organizations, too much complexity, as shown in this research, can impact the ability to respond to cyber threats. Participants in this research understand the negative impact IT security complexity has on their organizations’ security posture. In order to be able to protect their organizations from cyber threats, 68 percent of respondents believe it is essential (33 percent) or very important (35 percent) to reduce complexity within their IT security architecture.

According to respondents, employees’ access to cloud-based apps and data and use of mobile devices in the workplace are the biggest drivers of complexity. The growth in unstructured data is making it increasingly difficult to deal with cyber threats.

Complexity seems unstoppable. As shown in Figure 1, complexity is a growing problem. Fifty-eight percent of respondents say in the past two years the complexity of their organizations’ IT security architecture increased significantly (28 percent) or increased (30 percent) and 66 percent believe in the next two years complexity will increase.

Following are eight consequences of complexity.

  • Inability to integrate security technologies across different platforms.
  • Inability to ensure policies and governance practices are applied consistently across the enterprise.
  • Too many active endpoints.
  • Poor investments in overly complex security technologies that are difficult to operate and financial loss due to the scrapping of these complex technologies.
  • Inability to see vulnerabilities in the system.
  • Difficulty in communicating the organization’s security strategy and approach to deal with cyber threats to senior management.
  • Decline in productivity of IT security staff due to complexity.
  • Lack of accountability for IT security practices.

Part 2. Key findings

Here is a sampling of key findings: These will be explored in more detail during a webinar held on Jan. 17. Click here to register for the webinar.

Most IT security architectures are very complex. Sixty-seven percent of respondents say their organizations’ IT security architecture is very complex.

What are the consequences of complexity? Only 35 percent of respondents rate their ability to hire and retain qualified security personnel as high (7+ on a scale from 1 = no ability to 10 = strong ability). Also problematic is the ability to integrate security technologies across different platforms (only 29 percent rate their ability as high) or to ensure policies and governance practices are applied consistently across the enterprise (only 21 percent rate their ability as high).

Employees’ use of cloud-based apps and mobile devices is considered most responsible for IT security complexity.  Some 64 percent say it is access to cloud-based applications and data and 56 percent say it is the use of mobile devices (including BYOD and mobile apps) that increase the complexity of dealing with IT security risks. The rapid growth of unstructured data and constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing also increase complexity.

Investments in security technologies have contributed to complexity. In the survey, 61 percent of respondents say enabling security technologies have made it more complicated to deal with threats, and 72 percent say they have lost money on poor investment in enabling security technologies.

Current security architectures are overly complex. According to 71 percent of respondents, the complexity of their companies’ IT and IT security architecture makes it difficult to see vulnerabilities in the system and 51 percent of respondents say simplified policies and processes are needed to improve the ability to respond to a changing threat landscape.

Companies shelved or scrapped enabling security technologies because of complexity. Sixty-five percent of respondents say their company has had to frequently (27 percent) or sometimes (38 percent) scrap or shelve one or more enabling security technologies because they did not effectively moderate cyber threats or were too complex to operate. The primary reason for not deploying technologies purchased is that they were too complicated to operate (63 percent of respondents. Other reasons are the lack of in-house expertise to deploy and manage the technology (54 percent of respondents) and poor vendor support and service (48 percent of respondents).

Complexity makes it difficult to explain the approach taken to reduce IT security risks to senior management. Some 67 percent of respondents believe their company’s approach to dealing with cyber threats is too complex to explain to senior executives. Such difficulty in communicating IT security practices to senior management leads to difficulty in achieving goals and objectives set by senior management (49 percent of respondents). As a result, 62 percent of respondents say their company needs to simplify and streamline its security architecture.

Complexity affects the staffing of knowledgeable IT security professionals. As discussed previously, only 35 percent of respondents rate their companies’ ability to hire and retain qualified security personnel as high; 56 percent of respondents say they do not have the necessary expertise to deal with the complexity of their IT and IT security processes and 52 percent of respondents say their companies’ current IT security infrastructure is too complicated and, as a result, decreases the productivity of their IT security staff.

Ineffective IT security architectures are costly. Respondents estimate an average potential total cost exposure from IT security failures of $77 million. The most significant financial impact results from the organization’s response to information misuse or theft followed by costs associated with reputation and brand damage because of IT security failure.

To learn more about these findings, check out the webinar

Leave a Reply

Your email address will not be published. Required fields are marked *