Organizations must see cybersecurity as a business risk, not just a technology issue
Executive leadership must look beyond mere compliance and strengthen offensive position
By Byron Acohido, ThirdCertainty
You’ll get no argument from anyone in the global cybersecurity community if you make this statement: “There needs to be a paradigm shift in the way organizations of all sizes view information security.”
There are unmistakable signs that such a sea change is underway, driven by intensifying cyber exposures. But organizational change at a macro level won’t happen overnight. And a certain level of turmoil can be expected as the productivity side of the house battles for budget with the security side.
That’s the upshot of an impromptu discussion I recently had with three top cybersecurity experts from consulting giant Deloitte.
Ed Powers and Scott Keoseyan—U.S. managing principal and cyber threat intelligence director, respectively, at Deloitte’s Cyber Risk Services practice—and Adnan Amjad, a partner with Deloitte’s U.S. Cyber Threat Risk Management practice, helped lead Deloitte’s cybersecurity consulting services, which last year assisted nearly 1,000 clients with cybersecurity planning, including numerous large enterprises and federal agencies.
Related story: Vendors arise to address new cloud computing risks
What Powers, Keoseyan and Amjad continue to hear is that the frustration level among senior management is rising. Despite spending truckloads of cash on the latest defensive technologies, cyber risks continue to intensify, seemingly with no end in sight.
Keeping tabs on information
Powers told me many organizations have been unsuccessful because they “predominantly use technologies for sharing information rather than protecting it.”
That includes virtualized data centers and cloud computing. While both can boost productivity, collaboration and innovation, they also introduce complexity, which translates into new exposures to intruders with malicious intent. Organizations must remember that they often are using technologies that have not—from a security standpoint—kept up with the pace of broader business innovation, Powers said.
Related story: Virtual data centers make data theft easy
A very fundamental shift—the organizational thinking—must take root, Amjad said.
Security must be built into systems from the beginning, and organizations must be more vigilant monitoring them. It’s also critical that the systems have capabilities to respond to cyber attacks.
Not just an IT problem
And the productivity side of the house needs to work more in concert with the security side of the house. People must be cognizant that cybersecurity is a business issue— not just a technology issue. Of the nearly 1,000 cyber clients Deloitte served last year, many said security is a first-order business risk.
That way of thinking may be a difficult transition for lots of companies, so it must start at the top of the organization and permeate down.
Security landscape evolves
Some industries have caught on. Big banks recognize that security is a business issue for them. They are aware that the safety of their and their customers’ data is important. And some companies in the health care, manufacturing and energy industries have come to understand that cybersecurity is a critical part of their operations.
Many organizations, however, lag way behind in cybersecurity and must catch up. Like their counterparts with better security measures, they should determine the actual risk they face. Even the board members should be trying to understand this.
Organizations—even sophisticated ones—also must realize that protecting their own four walls is not sufficient. There are too many bad actors using numerous methods and routes to penetrate through the barriers and get access to critical information. Organizations must understand the vulnerability footprint of the people with whom they do business on a regular basis and be certain their supply chains also are secure.