Overly Complex IT Infrastructures Pose Security Risk

Cybersecurity budgets are set to increase in 2022, but companies worry that complex IT networks and data infrastructure are wasting money, new PwC survey finds.

3 Min Read
Photo of PricewaterhouseCoopers' building
Source: Chris Batson via Alamy Stock Photo

More than two-thirds of companies plan to increase their cyber budget in 2022 to better protect their systems and data, with more than half of executives fearing an increase in reportable attacks, new data from consulting firm PricewaterhouseCoopers shows.

Yet the major threat to companies is an avoidable level of unnecessary complexity that has led to increased risk, with three-quarters (75%) of executives agreeing that their organization's infrastructure has become too complex and nearly the same number agreeing that complexity has led to concerning levels of risk, according to the report. Overall, executives worry that complexity will primarily lead to breaches and financial losses but also hamper innovation and undermine operational resilience.

Organizations need to focus on simplifying their operations and infrastructure and determine whether complexity is necessary, according to PwC's new "2022 Global Digital Trends Insights" report.

"The consequences for an attack rise as our systems’ interdependencies grow more and more complex," the report states. "Critical infrastructures are especially vulnerable. And yet, many of the breaches we're seeing are still preventable with sound cyber practices and strong controls."

The Global Digital Trust Insights Survey annually polls more than 3,600 business, technology, and security executives, focusing on primarily (62%) large companies with at least $1 billion in revenue. While 69% of companies expect to increase their cyber budgets in 2022, and 26% expect an increase of 11% or more, many organization are not yet seeing a payoff from their investments in security.

More than half of companies have invested in cloud security, security awareness training, or endpoint security, but only roughly a third of those companies are achieving the benefits of those implementations, according to the "2022 Global Digital Trust Insights" report.

Part of the reason is the complexity of their environments, and often the technology, two PwC executives stated in a strategy brief published earlier this year.

"[C]omplexity has driven cyber risks and costs to dangerous new heights," Richard Horne, UK cybersecurity chair for PwC United Kingdom, and Sean Joyce, global and US cybersecurity and privacy leader for PwC United States, stated in a brief published in February. "The numbers of significant cyberattacks globally are increasing and include potentially devastating criminal 'ransomware' attacks and nation-state activity targeting government agencies, defense and high-tech systems by, for example, breaching IT network-management software and other suppliers.

Overall, the most mature organizations that are tackling complexity are 12 times more likely to have an engaged CEO, 11 times more likely to understand the risk that third parties pose to their cybersecurity and data privacy postures, and 10 times more likely to have a formal process for data trust practices, according to the report.

Yet only about a third of companies have taken steps to streamline their businesses and operations over the past two years, the survey found.

Simplify to Shrink the Attack Surface
Unsurprisingly, as the pandemic unfolded, 35% of companies have defined a new mix of remote, virtual, and on-site work, while 33% reorganized their business functions and 32% consolidated their technology vendors.

The companies evenly spread out their budgets for simplification across nine different initiatives, including an estimated 36% of budgets spread equally across "integrating controls and processes across disciplines," "reduc[ing] outdated or end-of-life technology," and "adopting a cloud-first technology strategy."

The report argues that companies should remove complexity and reduce their attack surface area to improve their security and reduce the cost of securing their systems and data.

Security operations and interdisciplinary teams should take another look at their own infrastructure to find complexity that has been left behind, according to the report. Find tech solutions that cannot work together and teams that are not collaborating on resilience or third-party risk management, failing to have a process in place for governing data, and not looping in the business teams when debating cybersecurity measures and technologies.

"Complexity isn’t bad in and of itself — often, it’s a by-product of business growth," the report states. "The costs of creating unnecessary complexity are not obvious, and it’s hard to create urgency around combatting complexity — that is, until an attack occurs."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights