In the last few years, we have seen an enormous increase in cybersecurity threats on the one hand and, on the other high investments in cybersecurity appliances. The cyber battlefield has never been so vast and complex, and the attack vectors so diverse. However, cybersecurity (though defined as the aspect of IT securing IT systems, networks, applications, and data from cyber-attacks) is not only about technology – it has become urgent to treat cybersecurity as business issue.
This is even more so since the Covid-19 pandemic has permanently changed how we work, where we work and what assets we use. The dispersion of assets and team members has forced business owners to redefine their processes and workflow. According to Gartner, 88 % of boards of directors included in the survey in 2021 responded that they see cybersecurity as a business rather than a technology risk.
The “new normality” issues related to cybersecurity
Looking at the transformations the organisations have gone through in recent years raises several questions:
- Has the digitalisation process been coordinated among different stakeholders of the organisation, or was it a matter of each individual department?
- When shifting from local software to the cloud, have security policies been revised and updated according to the new risk analysis?
- Is remote work and the use of business devices contractually defined and in line with security policies?
A modern business environment is not limited to one organisation. Thanks to cloud technologies, it interconnects with other companies in the supply chain and offers a better user experience – for employees and customers. However, it also provides more loopholes for attackers to exploit.
Another common issue is the myriad of IT assets and applications used in a business environment; many of them are cloud-based, and it frequently happens that IT staff does not have a transparent overview of what is used in the network. Furthermore, decisions about new appliances can be made every day without consulting CIO or CISO.
To sum up, the myriad of devices and apps, poor coordination and communication may open doors to cyber-attackers and expose the organisation to high security risks. How to proceed?
Make a paradigm shift from technology to cybersecurity as business issue
According to ISACA, 82 % of respondents in their 2016 survey said their board is very concerned about cybersecurity. As mentioned above, 88 % of Gartner respondents claim cybersecurity will be a business issue in 2021. However, only 12 % of Gartner’s responders have formed a board-level cybersecurity committee.
Why are we progressing so slowly? In our opinion, the leading cause is a paradigm shift that has not happened yet. Traditionally, cybersecurity experts were part of technical teams; they installed and configured security devices, enforced password policies and occasionally reminded their colleagues of locking their screens and not letting people tailgate. These were all linked to one company and one IT environment.
Cloud technologies introduced a new way of communication and data transmission along the supply chain; this can vary from linking two or, e. g., ten companies in a row. Imagine the number of entry points where an attacker can smuggle into the network and shuffle the cards. The security issue is not only inside one company but has spread to all companies in the supply chain. Consequently, it is not merely the internal IT who patches an app, and life goes on; security departments along the supply chain have to be notified as well, and the issue resolved at a higher level. This is one aspect of the CIO’s or CISO’s business-related role.
Let CIOs and CISOs improve your business
Another burning issue is that managers do not consult their CIO or CISO before making decisions affecting IT security. It might be one tiny add-on to an application that completely transform relations and connection within the environment, opens loopholes and lowers the cybersecurity level. This is often the case because cybersecurity officers might block new installations for security reasons. Don’t take this as a showstopper! Use it as an opportunity to improve your business.
Related to the previous example, the rapid shift to remote work during the Covid-19 pandemic has also contributed to a more fragile cybersecurity posture. Employees using business devices for private purposes or vice versa, and installing new apps without consulting their cybersecurity experts, pose a significant risk to every organisation. The policies regarding remote work should be communicated in board meetings and passed on to users directly from the CIO or CISO.
The financial aspect of sustainable cybersecurity management
Regarding cybersecurity, financial assets are often scarce (although some progress has been made in recent years). Yet, on the other hand, there is a common opinion that the more you spend, the better you protect; the less you spend, the less protection you get.
We have found another path: spend smartly. You sure need some security devices; as a rule, the larger the organisation, the more you need. But there is no need for all the newest equipment available on the market. Spend your money wisely and take a moderate approach:
- Optimise the configuration of implemented security devices.
- Train your users since social engineering is the top entry point for attackers.
- Regularly test your cybersecurity posture with penetration tests and Red Teaming exercises – these give you the most transparent picture of how vulnerable you are.
- Get advice from experienced experts.
- Upgrade your cybersecurity protection with new apps, devices and systems when necessary.
Following these steps and treating cybersecurity as business issue, you will have a deep insight into your cybersecurity posture. You will be aware of your weaknesses and ready to invest in these segments of the IT system. While on the other hand, you will also know your strengths and feel confident about them.