The long-going debate: Who is responsible for Cybersecurity? Is it the CISO? Is it the CIO? Is it legal or the CFO, as the cost of the breach, is becoming a larger piece of the pie incorporate risk and governance? According to 2017 Forbes Cybersecurity Insights, 69 percent of senior executives say digital transformation is forcing fundamental changes to their security strategies. Though the average cost of a data breach is about $4 million, however in certain businesses the cost of brand reputation and customer confidence is far higher.
In my view, there are three factors that are accelerating the risk.
- New Technologies: Adoption of cloud, mobile, IoT, and big data demands a new security paradigm, as the data is distributed and centralized at once. Integrated Identity becomes crucial, as there are multiple entry points and identity rights change with the context for data access
- Complex Privacy laws: The complexity of privacy law from country to country has gone multi-fold over the last decade, forcing companies to look at security in a whole different lens to prevent lawsuits, while not compromising on data visibility, which the business needs for an effective operation
- Company Culture: Most of the companies are dealing with three generational workforces (Baby boomers, Gen X, Millennials), and their views strongly influence the practice of security at the individual level. Coupled with company culture the issue gets multiplied, making people the most vulnerable link in the chain of security.
In the complex world of the sophistication of technology, the myriad of governance around privacy and data policy, and the three-generational workforce culture, it is not a single person who owns it all. Something that is this complex and powerful requires more than one, like in the Guardians of the Galaxy. Though Peter Quill was the steward and leader of the group, what saves the galaxy is not just his strength, but the group intelligence and synergistic execution. So in my opinion, it’s time to end the debate of who owns the security and start the discussion to form the right coalition and stewardship to guard the enterprise assets against threats. The CIO in partnership with CISO must act as a steward for cyber security and ensure that the right controls and processes are in place to protect the enterprise assets.
I also would like to draw attention to a different view on security, one which is less looked into but becoming more and more crucial. In the Guardians of the Galaxy, many actions happen as the story unfolds, actions not about attaining galaxy power but related to family feuds and personal conflicts. This is true in the business world too. Sad people and mad people can hurt themselves and others. An employee who has been impacted by restructuring could do more harm to the company than any outsider. A careless finance employee sending an unencrypted payroll file via email can do more harm to company reputation and potential lawsuit exposure than an intruder. While we are very focused on protecting data, we can miss the critical connection point to the data, which is human. In my opinion, the focus on protecting the human point is as important if not more important than protecting the data itself.
While CEOs are racing to establish new business models for the digital age to block an aggressive market insurgent, CIOs and CISOs should hurry to revise the security model to the new age. Well-designed security can be a strategic asset to the company. Consider the following:
- Prevention is better than cure. Don’t underestimate the benefits of people-centric items like security awareness and education, policy-centric items like data protection & governance, and maintenance-centric items like automated patching.
- Security has to be more than perimeter protection. Today corporate data is everywhere – in the cloud, in the co-located data center, at the application vendor cloud, and on prem. The strategy has to be not just protecting the castle, but a security approach that is layered and an identity centric access management model.
- When it comes to detection, balance the investment between offense and defense tactics. Leverage cloud-based security intelligence and breach detection to stay current and minimize dwell time.
- Speed is the name of the game. Having a well-documented and well-practiced incident response is key. According to a Fortune 2017 survey, 68 percent of organizations said they plan to enhance incident response capabilities in the next 12 months
- Practice makes it perfect. Periodic drills at all levels with varying use cases is a great way to test resiliency and recovery for the ecosystem. Ensure fundamentals like back-up and data encryptions where appropriate are in place, which is key for recovery when under attack.
- One final challenge CIOs need to tackle is the funding priority. Typically, CIOs are tasked and measured on innovation to fuel growth and efficiency. The trick is how to balance investments with innovation and security. Boards are showing more interest in cyber security due to the business risk it poses, and my suggestion is to make the business case for investment with a clear quantified business risk.
When it comes to security the tone should be set at the top. Security is everybody’s business. For every breach that happens, there is a person in the middle who knowingly or unknowingly opens the path of vulnerability. If we take the human-centric approach to cyber security, it will lead us effectively to guard the crown jewels for the company.