In an overly complex organisation, it’s easy for the left hand not to know what the right hand is doing — and the consequences for cybersecurity and privacy can be dire. Seventy-five percent of C-suite respondents to our survey, including CISOs, say their companies are too complex, avoidably and unnecessarily so, and nearly as many say complexity poses “concerning” cyber and privacy risks to their organisations in 11 key areas.
Data seems to be a chief point of concern, especially among large companies (revenues of $1 billion or more). Data governance (77%) and the data infrastructure (77%) ranked highest among areas of “unnecessary and avoidable” complexity.
Technology networks and devices are also highly complex, particularly in large companies and North American companies. Digital-native companies — those that exist entirely online — tend to use the newest technologies, which are designed to connect and operate together. Most other companies’ technology architectures, which include legacy systems, are more complicated. Mergers with other entities may multiply risks by connecting already complex networks and systems.
The most worried about all this complexity are CEOs. They assign a complexity level of 10 to seven of 11 areas in their organisations. CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments, and crossover from IT to operational technology (OT).
Executives in large organisations and in North America are more likely to be concerned about risks from complexities in the cloud environment and the crossover from IT to OT.
Complexity isn’t bad in and of itself. Often, it’s a by-product of business growth. The larger an organisation, the more complex it will naturally be, needing more people and technologies to serve a growing customer base.
The costs of creating unnecessary complexity are not obvious, and it’s hard to create urgency around combatting complexity — that is, until an attack occurs.
One company needlessly kept the sensitive data of people it no longer did business with, making that data available for hackers to steal.
In our article Simplifying cyber, we give examples of how simplification can improve security. At a global retail organisation, six vendors managed customer contacts. Two of those vendors’ systems had been breached in the past. After consulting with the CEO and board, the new operations director whittled the vendor list to two. This simplification improved security: Monitoring two vendors is easier than keeping tabs on six, making information access easier to control, and the retailer could more readily back up the smaller cache of customer data.
Asked to name the top consequences of operational complexity, our respondents named:
Complexity not only threatens today’s fortunes, in the view of executives. It also prevents organisations from creating new opportunities quickly and pursuing future ones.
Businesses know the risks of complexity, yet only 35% of our respondents have performed any streamlining of their operations and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway.
Simplifying an organisation takes time, requiring changes in viewpoints and company culture. That’s not easy to achieve, but the payoffs are mighty. The companies that had the best cybersecurity outcomes over the past two years (most improved) are 5x more likely to have streamlined operations enterprise-wide. They’ve focused on consolidating tech vendors (62%), defining/realigning the mix of in-house and managed services (60%), reorganising functions and ways of working (59%) and creating an integrated data governance framework (58%).
More and more CISOs and CIOs are taking a hard look at their tech investments, no longer just entertaining or chasing the latest products from tech vendors. We’re seeing consolidation of tech vendors and applications to reverse the hard-to-manage and risky tangle of disparate and vulnerable software and tech stack.
Simplification of cyber. To be fair, simplifying cybersecurity can be challenging. Even knowing where to begin can be difficult, especially given the attacks hitting businesses on every front. Asked to prioritise among nine initiatives aimed at simplifying cyber programs and processes, respondents couldn’t choose, allotting near-equal importance to all of them. CISOs who are building layers of control, for defense in depth, are well-intentioned but must guard against introducing more complexity and cost. More controls don’t always make a company more secure.
Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation. Yet companies typically waste an average of 35% of their cloud budgets on inefficiencies. Runaway complexity can quickly result from extensive technology options, new architectural approaches, complicated service plans, unused capacity and confusing billing and pricing, especially when the technologies offered are constantly changing.
Done right, however, cloud transformations can be secure, efficient, and successful. Cloud security is the top investment priority of our survey respondents, as well as in our June US-specific survey. That’s encouraging — but only 16% report realising benefits from these investments. Thirty-five percent haven’t fully benefited from cloud security investments and 45% are just starting or planning theirs.
Whether or not you’re using the cloud to simplify, minimising and combining your tech stack and processes may feel like a bold move. Doing so requires asking hard questions and maintaining a keep-it-simple mindset. To get there, your organisation will need security-minded leadership starting at the very top.
Don’t overlook moves that can have a significant impact. For example, two moves — deploying two-factor authentication and putting your remote desktop protocol (RDP) behind the firewall — can vastly reduce the risks from phishing, which remains a popular tactic, by itself, and in tandem with malware and ransomware attacks.
Average share of total spending on cyber simplification
For Operations and Transformation Leaders
Ask: what’s the cyber plan for that? You can ignite major changes — operational and cultural — simply by asking this one question of every business executive in charge of a transformation or new business initiative. By placing cybersecurity front-row-center, you can avoid the unnecessary and costly complexities you may see now, when it’s an afterthought.
Include the CISO and security teams early in cloud migration and adoption, mergers and acquisitions, and other organisational initiatives. That way, every executive at the helm of a major business initiative will be able to readily answer the cyber-plan question.
For the CISO and CIO
Dare to subtract. Left on their own, technology and data tend to multiply, divide, and conquer efficiency and security. Whittle down excess with security goals in mind: assess your data stores and eliminate everything you don’t need now; move your disparate apps and solutions into a cloud environment for easier management; and consolidate, liquidate, and automate where you can.
Also, rethink your tech and cyber investment processes. Focus first on simplifying where benefits are greatest for the whole organisation.
Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US