Is your organisation too complex to secure?

In an overly complex organisation, it’s easy for the left hand not to know what the right hand is doing — and the consequences for cybersecurity and privacy can be dire. Seventy-five percent of C-suite respondents to our survey, including CISOs, say their companies are too complex, avoidably and unnecessarily so, and nearly as many say complexity poses “concerning” cyber and privacy risks to their organisations in 11 key areas.

Data seems to be a chief point of concern, especially among large companies (revenues of $1 billion or more). Data governance (77%) and the data infrastructure (77%) ranked highest among areas of “unnecessary and avoidable” complexity. 

Technology networks and devices are also highly complex, particularly in large companies and North American companies. Digital-native companies — those that exist entirely online — tend to use the newest technologies, which are designed to connect and operate together. Most other companies’ technology architectures, which include legacy systems, are more complicated. Mergers with other entities may multiply risks by connecting already complex networks and systems. 

The most worried about all this complexity are CEOs. They assign a complexity level of 10 to seven of 11 areas in their organisations. CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments, and crossover from IT to operational technology (OT). 

Executives in large organisations and in North America are more likely to be concerned about risks from complexities in the cloud environment and the crossover from IT to OT.

75% of executives report too much complexity in their organisations, leading to ‘concerning’ cyber and privacy risks

The move to simplification

Businesses know the risks of complexity, yet only 35% of our respondents have performed any streamlining of their operations and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway. 

Simplifying an organisation takes time, requiring changes in viewpoints and company culture. That’s not easy to achieve, but the payoffs are mighty. The companies that had the best cybersecurity outcomes over the past two years (most improved) are 5x more likely to have streamlined operations enterprise-wide. They’ve focused on consolidating tech vendors (62%), defining/realigning the mix of in-house and managed services (60%), reorganising functions and ways of working (59%) and creating an integrated data governance framework (58%). 

More and more CISOs and CIOs are taking a hard look at their tech investments, no longer just entertaining or chasing the latest products from tech vendors. We’re seeing consolidation of tech vendors and applications to reverse the hard-to-manage and risky tangle of disparate and vulnerable software and tech stack. 

Simplification of cyber. To be fair, simplifying cybersecurity can be challenging. Even knowing where to begin can be difficult, especially given the attacks hitting businesses on every front. Asked to prioritise among nine initiatives aimed at simplifying cyber programs and processes, respondents couldn’t choose, allotting near-equal importance to all of them. CISOs who are building layers of control, for defense in depth, are well-intentioned but must guard against introducing more complexity and cost. More controls don’t always make a company more secure.

Moving to the cloud can help simplify business processes and IT architecture, provide flexibility and accelerate innovation. Yet companies typically waste an average of 35% of their cloud budgets on inefficiencies. Runaway complexity can quickly result from extensive technology options, new architectural approaches, complicated service plans, unused capacity and confusing billing and pricing, especially when the technologies offered are constantly changing. 

Done right, however, cloud transformations can be secure, efficient, and successful. Cloud security is the top investment priority of our survey respondents, as well as in our June US-specific survey. That’s encouraging — but only 16% report realising benefits from these investments. Thirty-five percent haven’t fully benefited from cloud security investments and 45% are just starting or planning theirs.

Whether or not you’re using the cloud to simplify, minimising and combining your tech stack and processes may feel like a bold move. Doing so requires asking hard questions and maintaining a keep-it-simple mindset. To get there, your organisation will need security-minded leadership starting at the very top. 

Don’t overlook moves that can have a significant impact. For example, two moves — deploying two-factor authentication and putting your remote desktop protocol (RDP) behind the firewall — can vastly reduce the risks from phishing, which remains a popular tactic, by itself, and in tandem with malware and ransomware attacks.

Simplification in organisations: 3 in 10 have streamlined over the last two years

Simplification of cyber: spending is spread across several initiatives

Average share of total spending on cyber simplification