From escalating cybersecurity risks to stricter regulatory requirements, chief technology officers and other IT leaders are facing more challenges than ever before, placing significant strain on their time and resources.
“More and more IT leaders are getting burned out,” says Arnaud Vanderroost, vice president of sales for EMEA at internet security company GlobalSign. “The workload is growing and growing, but budgets haven’t followed the growth of the regulatory landscape and the number of cyberattacks.”
This tricky regulatory backdrop is increasing the compliance burden on IT leaders tenfold. There were more than 61,000 regulatory alerts issued by global regulators in 2022, the third-highest total since 2008, according to Thomson Reuters.
At the same time, the cost of non-compliance is also rising. The European Union’s General Data Protection Regulation (GDPR), for example, puts companies on the hook for fines of €20m or up to 4% of global turnover (whichever is higher) if they fail to comply with the rules. More than $4.5bn in fines have been dished out since GDPR came into effect in 2018.
Vanderroost flags that regulations will continue to come down the pipe as cyber threats proliferate. The EU’s digital identity, authentication and trust services regulation, eIDAS 2.0, is one that is set to be approved in the next few years. Intended to simplify and safeguard cross-border transactions, it will require electronic signatures, seals, and time stamps to secure public and private online services. But the proposal, built to reinforce trust in the digital ecosystem, will no doubt create extra work for IT leaders.
“We’ve still got a couple of years before it actually goes live, but if people don’t start preparing now, then they will not be ready in time,” says Vanderroost. Modern slavery regulations and environmental, social and governance requirements are only adding to the compliance issues that IT leaders need to consider, he adds.
Of course, for IT teams, getting a grip on the rising tide of cyber risks is a priority. There were more data breaches in the US during the first nine months of 2023 than the whole of 2022, according to an MIT and Apple report published in December. Ransomware attacks are also becoming more frequent, with the number of reported incidents globally jumping 95% in 2023 compared to a year earlier, according to Corvus Insurance.
By and large, IT leaders are now adopting a zero-trust approach to cybersecurity, whereby anyone who tries to access the network will be treated as a potential security risk and vetted before being granted access. Some are focused on automating this process by using two-factor authentication underpinned by digital certificates, a strategy that would raise security levels while giving organisations greater confidence that only authorised users can access the network.
Others adopt digital certificates for automated document signing to meet eIDAS 2.0 standards, while some leverage cloud-based tools for increased capacity and on-the-fly document signing. Certificate ‘roaming’ automation allows seamless device switching, granting access to encrypted messages without repeated logins.
One thing is clear: IT leaders will need to turn to tech and automation to ease the burden on their teams.
Google’s proposal to cut the validity of SSL certificates (which tell internet users whether or not you can trust a website) to 90 days from its current 397 days, or roughly 13 months, has brought this into sharp focus. Instead of having to go through the process once a year, organisations will need to apply for SSL certification four times a year.
“IT leaders just don’t have the time to do that,” says Vanderroost. By using the so-called ACME (Automated Certificate Management Environment) protocol, IT leaders can automate SSL certificate renewal, leaving them free to focus on more pressing issues. “It’s not so much compliance, but it takes away some of the resource burden and ensures there are no problems with their website,” says Vanderroost.
Automation can, however, bring challenges along with opportunities. Handing over control to a machine can be problematic if the machine fails, he notes: “If something gets issued incorrectly on a large scale and you need to revoke everything, that could have serious ramifications for the company.”
The pressure on IT budgets means organisations also sometimes cut corners, which can lead to potential security vulnerabilities for cybercriminals to exploit. Take the growth in Internet of Things devices. Vanderroost has observed potential customers in the market for digital certificates to secure their IoT devices who ultimately opt against due to shoestring budgets.
“This means that a lot of IoT devices go on the market without any proper protection, which can then lead to DDoS (distributed denial-of-service) attacks and other large-scale attacks that you see on the bigger networks of financial institutions and other large companies,” he explains.
Companies facing such attacks not only risk damage to their brand reputation and loss of customers but also expose themselves to potential regulatory penalties. In particularly aggressive cases, they may even find themselves compelled to pay ransoms to cybercriminals. Vanderroost adds that if the cost of recovering from a ransomware attack, including getting the network back up for operations, is considered, it often surpasses the expense of implementing annual cybersecurity measures to safeguard against the breach in the first place.
“As a CTO, you’ve got so much to know and so much to handle, and you’re often not up to date with the latest compliance requirements,” says Vanderroost. “So it’s always good to seek out the expertise of partners and certificate authorities like GlobalSign to get the latest insights. It’s always better to prevent than cure.”
While the number of cyberattacks snowballs and new regulations enter the equation, automation will be an increasingly important support system for IT leaders to reduce their compliance burden and keep their networks secure.
Learn more at globalsign.com