Cybercriminals are innovating. New attack vectors — everything from fansmitter information stealing to the rise of smishing — have cybersecurity professionals struggling to keep up. It’s no surprise that many companies are investing heavily in innovation to both protect corporate networks and empower end users.

As noted by SC Magazine, however, a new business innovation study by Ponemon Institute found that efforts to think outside the box and the drive to keep the enterprise safe may be working at odds.

Business Innovation Study Bears Bad News

According to IT Pro Portal, there’s something very wrong with the state of cybersecurity. Despite the best efforts from organizations and IT professionals alike, successful attacks are on the rise. Security spending is expected to hit $170 billion by 2020, and the U.S. plans to shell out $19 billion on cybersecurity research.

Still, cybercrime is up 20 percent year over year. Additionally, 81 percent of health care agencies were compromised last year and ransomware incidents are up 172 percent so far in 2016. This is not good news.

Burning at Both Ends

The Ponemon Institute business innovation study revealed that companies are burning the candle at both ends trying to satisfy the demands for easier access and more direct user control without exposing the organization to undue risk.

Efforts to address the lack of necessary access controls and security safeguards limits the amount of time IT professionals have to innovate. At the same time, prematurely empowering users to manage access rights can open new security gaps.

Put simply, cybersecurity remains the industry’s problem child. More spending hasn’t fixed the issue, and efforts to sidestep the problem have only made it worse.

An Inextricable Link

So what’s the solution to this cybersecurity crisis? The Harvard Business Review pointed to improved executive buy-in. Security professionals must learn to make an effective business case for IT security not as a stopgap measure or cure all, but rather an integral part of a long-term corporate strategy. This nets critical monetary resources and helps shift corporate culture away from reactive defense to more proactive protection.

As noted by Federal Computer Week, meanwhile, efforts to improve cybersecurity may be best served by the recognition that IT modernization, improved security and innovation are inextricably linked. In other words, it’s not enough to give IT professionals free rein to innovate at the cost of security, nor can security budgets override the need for corporate creativity. Instead, the march toward a tech-driven future depends on a combination of these two outcomes. This create a symbiotic relationship that gives IT the room to create without abandoning control.

Ultimately, trying to out-innovate cybercriminals is a losing battle since they don’t contend with corporate culture or C-suite requirements. To achieve any meaningful progress against attackers, companies must create a kind of inextricable link between innovation and security. Where goes the box, so too goes its bulwark.