Organizations must see cybersecurity as a business risk, not just a technology issue

Executive leadership must look beyond mere compliance and strengthen offensive position

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

You’ll get no argu­ment from any­one in the glob­al cyber­se­cu­ri­ty com­mu­ni­ty if you make this state­ment: “There needs to be a par­a­digm shift in the way orga­ni­za­tions of all sizes view infor­ma­tion security.”

There are unmis­tak­able signs that such a sea change is under­way, dri­ven by inten­si­fy­ing cyber expo­sures. But orga­ni­za­tion­al change at a macro lev­el won’t hap­pen overnight. And a cer­tain lev­el of tur­moil can be expect­ed as the pro­duc­tiv­i­ty side of the house bat­tles for bud­get with the secu­ri­ty side.

That’s the upshot of an impromp­tu dis­cus­sion I recent­ly had with three top cyber­se­cu­ri­ty experts from con­sult­ing giant Deloitte.

Ed Pow­ers and Scott Keoseyan—U.S. man­ag­ing prin­ci­pal and cyber threat intel­li­gence direc­tor, respec­tive­ly, at Deloitte’s Cyber Risk Ser­vices practice—and Adnan Amjad, a part­ner with Deloitte’s U.S. Cyber Threat Risk Man­age­ment prac­tice, helped lead Deloitte’s cyber­se­cu­ri­ty con­sult­ing ser­vices, which last year assist­ed near­ly 1,000 clients with cyber­se­cu­ri­ty plan­ning, includ­ing numer­ous large enter­pris­es and fed­er­al agencies.

Relat­ed sto­ry: Ven­dors arise to address new cloud com­put­ing risks

What Pow­ers, Keoseyan and Amjad con­tin­ue to hear is that the frus­tra­tion lev­el among senior man­age­ment is ris­ing. Despite spend­ing truck­loads of cash on the lat­est defen­sive tech­nolo­gies, cyber risks con­tin­ue to inten­si­fy, seem­ing­ly with no end in sight.

Ed Powers, U.S. managing principal at Deloitte’s Cyber Risk Services practice
Ed Pow­ers, U.S. man­ag­ing prin­ci­pal at Deloitte’s Cyber Risk Ser­vices practice

Keep­ing tabs on information

Pow­ers told me many orga­ni­za­tions have been unsuc­cess­ful because they “pre­dom­i­nant­ly use tech­nolo­gies for shar­ing infor­ma­tion rather than pro­tect­ing it.”

That includes vir­tu­al­ized data cen­ters and cloud com­put­ing. While both can boost pro­duc­tiv­i­ty, col­lab­o­ra­tion and inno­va­tion, they also intro­duce com­plex­i­ty, which trans­lates into new expo­sures to intrud­ers with mali­cious intent. Orga­ni­za­tions must remem­ber that they often are using tech­nolo­gies that have not—from a secu­ri­ty standpoint—kept up with the pace of broad­er busi­ness inno­va­tion, Pow­ers said.

Relat­ed sto­ry: Vir­tu­al data cen­ters make data theft easy

Adnan Amjad, partner with Deloitte’s U.S. Cyber Threat Risk Management practice
Adnan Amjad, part­ner with Deloitte’s U.S. Cyber Threat Risk Man­age­ment practice

A very fun­da­men­tal shift—the orga­ni­za­tion­al thinking—must take root, Amjad said.

Secu­ri­ty must be built into sys­tems from the begin­ning, and orga­ni­za­tions must be more vig­i­lant mon­i­tor­ing them. It’s also crit­i­cal that the sys­tems have capa­bil­i­ties to respond to cyber attacks.

Not just an IT problem

And the pro­duc­tiv­i­ty side of the house needs to work more in con­cert with the secu­ri­ty side of the house. Peo­ple must be cog­nizant that cyber­se­cu­ri­ty is a busi­ness issue— not just a tech­nol­o­gy issue. Of the near­ly 1,000 cyber clients Deloitte served last year, many said secu­ri­ty is a first-order busi­ness risk.

That way of think­ing may be a dif­fi­cult tran­si­tion for lots of com­pa­nies, so it must start at the top of the orga­ni­za­tion and per­me­ate down.

Secu­ri­ty land­scape evolves

Some indus­tries have caught on. Big banks rec­og­nize that secu­ri­ty is a busi­ness issue for them. They are aware that the safe­ty of their and their cus­tomers’ data is impor­tant. And some com­pa­nies in the health care, man­u­fac­tur­ing and ener­gy indus­tries have come to under­stand that cyber­se­cu­ri­ty is a crit­i­cal part of their operations.

Many orga­ni­za­tions, how­ev­er, lag way behind in cyber­se­cu­ri­ty and must catch up. Like their coun­ter­parts with bet­ter secu­ri­ty mea­sures, they should deter­mine the actu­al risk they face. Even the board mem­bers should be try­ing to under­stand this.

Organizations—even sophis­ti­cat­ed ones—also must real­ize that pro­tect­ing their own four walls is not suf­fi­cient. There are too many bad actors using numer­ous meth­ods and routes to pen­e­trate through the bar­ri­ers and get access to crit­i­cal infor­ma­tion. Orga­ni­za­tions must under­stand the vul­ner­a­bil­i­ty foot­print of the peo­ple with whom they do busi­ness on a reg­u­lar basis and be cer­tain their sup­ply chains also are secure.