In advance of Halloween this year, one of the leading public relations firms interviewed 511 IT decision-makers to determine what haunts them most. After all, Halloween is that one night a year when all our demons are supposed to be allowed out. Unfortunately, in the IT industry, every day is now Halloween.
Most of the responses to the survey were squarely on IT security issues. Information/data breaches (31 percent) major service outages (26 percent), ransomware threats (22 percent), inside threats/rogue employees (19 percent), zero-day viruses (18 percent) and distributed denial-of-service (DDoS) attacks/hacks (18 percent) topped the list of what haunted respondents.
That creates an opportunity for solution providers to sell IT security solutions and services to address those issues. But there’s also something more insidious at work here. Not only is more of the IT budget being allocated to security, but the amount of time and energy spent on these issues is rising as well. In fact, a lot more IT projects are being either delayed or scrapped altogether because of security concerns.
That’s a major problem for IT organizations and solution providers alike. The most common response to fear is not fight or flight; it’s paralysis. Faced with an unknown threat that continues to get scarier as each new breach winds up exceeding anything before it, many IT and business leaders are becoming more hesitant. Business and IT leaders are generally used to assessing known risks. But that’s hard to do in a digital world where the number of potential vulnerabilities seems limitless.
In fact, a recent report from Veracode, a provider of application security tools, finds that 97 percent of all Java applications have at least one vulnerability. The reason for this, states the report, is that many developers now routinely share modules and components. Not surprisingly, a lot of those modules and components have vulnerabilities that start to get replicated across multiple organizations. All an experienced hacker needs to do is identify the piece of code being used to determine next how to exploit. Gullible end users then make it child’s play to load the appropriate piece of malware on an endpoint that the hacker then uses to exploit the same vulnerability repeatedly.
It’s little wonder that users are starting to lose confidence in IT. That’s bad for business for everybody. Conceptually, IT and business leaders know the only thing they have to fear is fear itself. But that’s difficult to focus on when IT leaders are concerned for their jobs. In addition, the organizations they work for are being held more accountable for IT security by any number of government agencies. With the passing of each high-profile security event, the fines imposed get stiffer. Inevitably, the blame for those breaches rolls downhill to the IT department. The natural response of the IT leadership is to cut risk by reducing the attack surface they need to defend. All too often, that results in fewer IT projects.
The truth of that matter is that all these IT security issues are going to have a chilling effect on IT spending. The channel as a whole has a vested interest in making sure that doesn’t happen. Rather than thinking of IT security in terms of an opportunity to be monetized, solution providers need to view IT security as more of a shared responsibility. That may run counter to a solution provider’s natural instincts. But at the rate security breaches are occurring, it’s increasingly apparent that very industry on which solution providers depend to make their living is being terrorized.
In an ideal world, the only spooky thing a customer should have to deal with are little ones that come to front door asking for candy. Unfortunately, there really are digital ghosts inside the proverbial machine. It’s clearly in the best interest of the channel to help as many customers as possible exorcise those ghosts before damage to the IT industry becomes any more permanent than it already is.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications, including InfoWorld, CRN and eWEEK. He currently blogs daily for IT Business Edge and contributes to CIOinsight, Channel Insider and Baseline.