Security: A Business Mandate
By: Bob Bragdon | 01/24/2017
If we’ve learned nothing else over the past several years, I hope that we’ve at least come to understand that security is everyone’s responsibility. At CSOonline.com, story after story has documented how the largest and most impactful security events have been facilitated by poor security practices, or even simple security oversights. These don’t just occur in the core of our computing environments, but at the edge, where security is defined by security awareness training and good digital hygiene. I fear, however, that message continues to be lost at too many businesses, as nearly half of the organizations in a recent survey did not conduct any security and privacy awareness training for their employees.
Too often security falls victim to a checkbox mentality driven by regulatory compliance requirements that fail to deliver any measureable advancement in actual security posture. This has been a problem as long as we’ve been covering security, and it will no doubt continue to be a big problem for the foreseeable future. But examples have shown us, and research proves, that the most well defended organizations are those who have worked hard to create a culture of security from the Board down to the intern.
Interest and engagement by the Board of Directors in security has never been so high. As industry groups like NACD (National Association of Corporate Directors) in the United States have charged their members with focusing more on cyber risk, boards have come to understand that the impact from a security incident can go far beyond a temporary hit on the stock price, or fines and sanctions from regulators. Reputational damage and legal actions can, and will, affect the bottom line, as well as executives’ own personal positions. The Verizon acquisition of Yahoo is a perfect example. Inside sources at Yahoo have painted a picture of a good security team that senior leadership was not interested in hearing from…they had other priorities. With over a billion records compromised what do you think the likelihood is that Verizon will seek to re-negotiate the terms and purchase price of Yahoo, if it even moves forward (he asks rhetorically)? In short, for many organizations cyber risk is a board-level priority. But clearly not everywhere.
But I believe that many businesses are coming to realize the importance of addressing cyber risks, commensurate with the risk appetite of their organizations. What do I mean by that caveat? I mean that too much security can impede the business, and too little will expose the business to undue risks. Good cyber risk management means understanding the threats to the business and the risk appetite of the organization, and then prioritizing investments based upon those two factors. In research this year we examined the top security priorities for businesses around the globe and found that their top priority was to improve collaboration between the business, IT and security, followed by addressing emerging security challenges posed by the adoption of evolving business models. As we leverage technology more and more, cyber risks to the business are elevated. That realization is a very good sign.
Our businesses now rely heavily on digital business ecosystems that allow them to function. Not just our own IT systems, but the ones we connect with at our business partners and customers. This has created a larger ecosystem reliant upon technology and vulnerable not only because of its interconnectivity and complexity, but also because it is only as secure as its weakest point. In 2016, more than two out of every five security incidents could be attributed to a third-party business partner. So, while your organization may have ingrained a culture of security, there’s no telling if your business partners have done the same, despite any attempts to push your security standards onto them.
Good cyber risk management will continue to evolve, driven by compliance requirements, but also by good business practices that recognize the importance of our business ecosystems, and the potential impact on the business, should they be compromised.
The changing business landscape, its impact on security, and the continued collaboration between IT and security leaders is the foundation for the launch of SecurIT—a one-day event hosted by CIO and CSO positioned to address managing risk for the enterprise.
We look forward to having you join us on June 21, 2017 in Washington, D.C. Contact me to discuss sponsorship opportunities and how your solutions can help ease security challenges.