By rssfeeds-admin 
The whole point of an exception is to provide a way to do something that would otherwise not be allowed. It is intended to be used rarely because frequent use negates the reason for a rule, saying it should not happen. In areas such as compliance, exceptions should be granted only where there is compelling evidence that there is no other way to get to a solution. And even then, only where there is no possible alternative. It is so common in some organisations that it almost negates the point of having rules to begin with.A new Replica Cyber report shows that IT environments have normalised the use of exceptions. 100% of all respondents said that they had granted security or compliance exceptions to allow high-risk work to continue. The details are contained in a report entitled, Trading Safety for Speed: The Rise of the Exception Economy (registration required).
Kristopher Schroeder, CEO at Replica Cyber, said, “Most people don’t care. It’s not that they don’t care about privacy. It’s not that they don’t care about security. They have a different priority. A different metric of what their success is measured on, your business users, your business owners.
“I need to increase revenue. I need to create a new product line. To do my job, I need to do X. That means I need to get this chunk of data, and I need to do analysis against it, or I need to process it differently, or I need to combine these things together. Security, you’re getting in my way, which means you’re slowing down our potential for growth and revenue.”
For anyone heading up security and compliance, even at the C-Suite level, this should send chills down their spine.
Why are we in this position?
Simply put, businesses need to be more reactive to compete, and that means taking risks. Nobody would want businesses not to take risks, certainly not the shareholders. But is there a case for so many exceptions?
The report would suggest there is. The findings show that strategic initiatives are stalling, not just showing. 39% of organisations delayed or cancelled market expansion, product launches, M&A, or AI deployment because the work couldn’t be conducted securely. 20% of high-risk work was cancelled entirely.
Those numbers are significant. And that is why 100% of organisations have granted exceptions around security and/or compliance in the last year. Of these, 47% worked in corporate environments, while 43.5% used unofficial or ad-hoc environments. Of the latter, 43% shoved the work to third parties. Shadow IT is a major problem, and this shows that business units are prepared to use it when they want.
According to the report, “Roughly one in five teams say environments are not ready when needed. 20.5% report they are not provisioned before, or within an hour of, the work starting. Up to 3.5% say it takes 7 days or longer.
“The problem runs deeper than slow provisioning. When researchers asked VPs of Cybersecurity whether environments were ready before they were needed, the answer was yes only 5.3% of the time. Compare that to their C-suite counterparts: CISOs said yes 20.7% of the time, CIOs 20%, CTOs 27%.”
What is not clearly evidenced in the report is how much benefit organisations are getting from bending the rules. There are benefits, or else this wouldn’t continue. It also has to be at a level that offsets the risks of fines from regulators and reputational damage for data loss. However, it seems that none of the respondents were willing to put that on record.
A failure of corporate process
Reading the report, it is clear that what is failing here is the corporate process. For example, when it comes to asking for an exception, there is no conversation with legal or compliance teams. That’s surprising given that the report dedicates a whole page to data and legal risk being the biggest barriers to intelligence sharing. There are 12 separate blockers on that page. So what is going wrong?
According to Schroeder, “Things are moving and evolving faster than they have before. Systems are evolving. Teams are evolving faster than they expected them to. Maybe the processes that they have in place didn’t catch up to the risk that they had bought on.”
The speed of change across technology is a known issue. And every organisation has processes that have been left behind. But when those processes bring risk to the business, there has to be a mechanism that forces a rethink. If not, the results can be disastrous.
An example
Schroeder continued, “I have an example in my mind of a customer who had purchased a company. There were known risks with the technology and the process that the company used, but the value was there. They purchased the company, and once it was integrated, they realised how significant those risks were to data exposure. They had to isolate that activity and fundamentally change how that organisation operated.”
That example fits the report. 45% of organisations said that their most sensitive business work, such as innovation labs, proprietary research, M&A, and high-stakes partnerships, is happening in environments that aren’t fit for purpose.
Is this a case where due diligence cannot finish, and risk increases? Do the systems fail to spot the problems? Are business and regulatory concerns around M&A activity the issue? Those are not clear from the report. The example, however, shows that someone decided there was more value than risk. That is different to system risks that require exceptions.
Data risk is everywhere
Third-party applications that are AI-enabled make up the majority of the systems that business units use. But how many security teams know what business units are using? How many know what is happening with the data introduced into those systems?
At Enterprise Times, we use Otter to record, transcribe and answer questions around interviews and podcasts. That means we trust it not to leak those conversations. I also use Leo, the AI inside the privacy browser Brave. It claims that it does not store data, nor does it train on user data. Instead, data is deleted after each session.
Many users do not use enterprise versions of ChatGPT and other programmes. Shadow IT often has them using personal apps. That means that they have little to no control over data leakage. Few IT teams have the time to investigate the policies of those apps, even when they are approved apps. Nowhere is this more of a problem than in AI and how it gathers data.
Interestingly, Schroeder says that AI is just the latest iteration of the problem of people not knowing what happens to their data when it leaves their environment. He believes IT teams should focus on what they can control. By taking advantage of the latest and greatest technology, they have to accept the risk of what is happening with data.
That risk acceptance, however, is rarely factored into corporate cyber insurance. It will be interesting to see how, if an exception causes a breach, it impacts insurance.
Enterprise Times: What does this mean?
There is a lot to this report, especially around the blockers that are seen as reasons to use exceptions. What readers of the report should be asking themselves is, “How do I remove the blockers?” At the moment, those people are more focused on how to work around the blockers and get exceptions. It is an unsustainable level of risk that business units don’t seem to care about.
There are questions for those C-suite and other executives who grant exceptions. Are you willing to accept what happens as the cost of doing business? Did the team asking for the exception deliver a risk analysis? If not, why did you grant it? What other options did you have? Why are you granting so many exceptions rather than removing blockers?
This is a very interesting and very timely report that will open up some embarrassing and tough questions in organisations.
The post Replica Cyber Discovers The Exception Is Now The Norm appeared first on Enterprise Times.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.