Join Transform 2021 for the most important themes in enterprise AI & Data. Learn more.
The COVID-19 pandemic changed more than how people work. Organizations boosted their security investments in response to an increase in cyberattacks and adopted a “data-centric” mindset to protect their information investments over the past year, according to a study Capgemini and Forrester released today.
With this data-centric approach, organizations are trying to reduce cyber risk and remove internal business growth barriers, according to the study, titled Making Your Business Cyber-Resilient In 2021. Based on interviews with 215 IT decision-makers — 63% were directors and 29% were vice presidents — the report found that IT leaders were trying to balance cyber risks with the demands of keeping their business running. Enterprise IT teams need to protect the organization’s data from accidental breaches and cyberattacks, but they can’t use security controls that make it impossible for the business to keep operating.
What is data-centric security?
Data-centric security prioritizes securing data where it’s stored and processed, instead of focusing on security controls for hardware and network infrastructure. Data-centric models also take a zero trust approach by applying the principle of least privilege to determine user access. Zero trust reduces cyber risk because the user requests privileged access only when needed.
The proliferation of cyberattacks during the pandemic is one of several factors making data-centric security a priority today. It’s also proving to be a catalyst that’s putting greater emphasis on identity and access management, cybersecurity controls, and endpoint security.
Even the National Security Agency (NSA) emphasized zero trust and data-centric security in recent guidance. The “data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors,” the NSA said.
Why data-centric security matters
The Capgemini and Forrester study showed how organizations are prioritizing cyber-resilience as a way to scale data-centric security.
Data-centric security dominates budgets. Of the 75% of companies planning to increase their cybersecurity budgets in response to COVID-19, the majority of the respondents (71%) said they prioritized data-centric security. A health care CISO told VentureBeat they accelerated their plans to build out zero trust frameworks in response to new security concerns and requirements over the past year. Protecting existing and new digital sales channels was always important, but it became urgent during the pandemic because of changes in customer buying patterns, the CISO said.
Cyber-resiliency protects revenue. Threats to organizations’ channels, operations, and revenue increased over the past year in comparison to levels seen before the pandemic, according to 68% of the survey respondents. A little over three-quarters of the survey participants (79%) said their digital business grew too quickly to keep up with, making it harder to keep their organizations cyber-resilient. Six in 10 organizations don’t have the right tools or technology they need, which explains why the report found that cybersecurity spending increased by 66% last year.
Defining a cyber-resilient roadmap. Organizations are developing cyber-resiliency roadmaps as part of their zero trust initiatives. They want greater visibility across every endpoint enterprise-wide and to be able to enforce least privileged access to every data asset. They also want to reduce risk and internal barriers to online revenue growth. The Capgemini/Forrester study found two other things IT leaders want: skilled employees and foundational security controls.
Getting started with data-centric security. By definition, data-centric security is a framework with supporting methodologies and classification taxonomies that need to be an organization-wide initiative to succeed. With cybersecurity attacks concentrating on data assets, endpoints, and identities during the pandemic, organizations opt for the zero trust framework as their data-centric security strategy.
Capgemini and Forrester’s report provides a timely glimpse into how organizations translate their data-centric investments into concrete security plans. Data-centric models deliver the most value when they improve application, tool, and device visibility across organizations. Identity and access management (IAM), cybersecurity controls, and endpoint security provide that level of visibility. Leading vendors in IAM include BeyondTrust, Centrify, CyberArk, Ivanti, and Thycotic. Leading endpoint security vendors include Absolute Software, CrowdStrike, Cybereason, and Ivanti.
The study provides compelling results that reflect how cyber-resilience is essential to protecting revenue, defining a data-centric security roadmap, and managing cybersecurity decisions from a business perspective first.
Investing in cybersecurity is now primarily a business decision, rather than a technological one. The increasing cyberattacks on data assets, endpoints, and identities directly impact revenue and can thwart new online sales channel growth. The NSA’s prescriptive guidance on zero trust comes just as many organizations are struggling to define their data-centric security strategies.
“Zero trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries,” the NSA said in its guidance.