No question, sound cybersecurity practices are critical. Too often, however, they are a misunderstood aspect of a company’s technology infrastructure. An enterprise knows it doesn’t want to be a victim of a security breach and must spend lots of money to enhance cyber protection, but this isn’t nearly enough.
Cybersecurity must also be viewed in perspective—a business perspective, to be precise.
This means, among other things, that companies must be able to aggressively debunk a potpourri of myths. They must realize, for example, that not all assets in the organization must be protected in the same way. They must realize that spending more money on cybersecurity may not make the organization more secure—and neither necessarily does buying the most advanced technology. And, too, they must appreciate that external hackers are hardly the only threat to corporate assets.
Fact is, businesses need to look harder at the big picture and develop better business acumen. This involves, among other things, the need to develop meaningful metrics to assess the quality of their cybersecurity protection, prioritizing the protection of their most important assets (rather than all assets), strongly encouraging organization-wide give-and-take cybersecurity discussions, and taking steps to enhance protection in the new age of the Internet of Things (IoT).
Companies should also be willing to consider adopting some cutting-edge cyber technologies, which, unlike other not-quite-so-new technologies, actually appear to have the potential to boost the quality of cybersecurity in a big way.
All this is distinct from becoming a cyber-resilient business—the goal of which is to be able to adapt and continue delivering services to customers during a data breach. This development has been making more progress and attracting more attention than improving business acumen. Too many companies have found it easier to maintain organizational operations and good customer service than to stop, or at least curtail, a breach in the first place.
On the business acumen front, enterprises need to improve by bundling the cybersecurity technologies and techniques they already have with basic trust, which undergirds all the cybersecurity decisions that executives and managers make. Today, unfortunately, basic trust is generally lacking in many cybersecurity initiatives, in part, because of competing agendas. For example, top managers and the board may see cybersecurity as a priority only when an intrusion occurs. Conversely, a good CISO and his or her team view security as an everyday priority—a huge disconnect.
With trust, businesses can make better decisions about their security priorities and response plans.
One such decision that should be made at this point would be jettisoning typical one-size-fits-all cybersecurity strategies. They are easier to implement in a company but too simplistic. Not all data is created with equal value. For example, the customer data associated with a bank’s credit card program or a retailer’s loyalty card program have far more value than the generic invoice numbers and in-house policy documents. A strong cybersecurity strategy provides differentiated protection of corporate assets.
Companies must also better balance protection against outside threats with better protection against surprisingly significant inside threats. Employees are closest to key data and other corporate assets and are often the weak link in a company’s cybersecurity program, often inadvertently, for example, by sharing passwords or files over unprotected networks or by clicking on malicious hyperlinks. The solution is the improvement of internal risk culture through better cybersecurity training methods.
At a higher corporate level, surveys show that many board directors cannot ask the right questions today because they lack meaningful metrics with which to assess their cybersecurity efforts. For example, in a pool of 200 CEOs by RedSeal, a Silicon Valley cybersecurity analytics company, 87% of respondents reported needing a better way to measure the effectiveness of their cybersecurity investments. Too often, directors as well as executives spend too much time studying technical reports on such things as the numbers of intrusion detection system alerts and software patch implementations.
To improve things, companies need to provide directors with better basic training in the scope and implications of cybersecurity risk and require that top managers provide their boards with meaningful data about not just the state of data security but also about the resilience of the organization’s digital networks.
Meanwhile, on the all-important IoT front—one in which the number of devices is growing by the billions—a McKinsey & Company survey shows that only 16% of respondents say their company is well prepared to tackle the security threats posed by poorly protected IoT devices, typically because of insufficient budget allocations. More than a third of companies surveyed don’t even have a cybersecurity strategy that also covers the IoT.
The “act-now” mentality of top executives and board members is in short supply and must change.
Last, let’s not forget that enterprises would be wise to strut their business acumen and at least go to the trouble to learn about—and perhaps invest in—early-stage nascent cybersecurity technologies such as continuous controls monitoring (CCM) and homomorphic encryption (HE).
Early versions of CCM, recently introduced into the market, over time will enable companies and government entities to stop playing whack-a-mole in trying to discern which one or two of 50-plus security threats are legitimate, then swiftly respond accordingly. Most big companies, for example, do not know the percentage of workers’ computers and mobile devices running the company’s anti-virus software, according to Forrester research.
We’re learning that the control or controls that would have stopped a cyberattack and thought to be present and operational in fact were not—and just when they were most needed. This is what happened earlier this year, when hackers exposed the personal information of more than 100 million Capital One credit card customers. The culprit, in part, turned out to be a typical failure of detection or rapid response.
Forrester Research points out that only a third of companies surveyed have real-time insight as to whether security controls are performing the way companies expect. This will soon become even a more serious issue given the pending implementation of new 5G networks.
HE, another highly promising technology years in development and on the cusp of becoming commercially viable, is a method of performing calculations on encrypted information without decrypting it first. If widespread, this would make enterprises substantially more secure. IBM, Microsoft and the National Security Agency have been working on HE for years, as has Maryland-based startup Enveil. Alphabet Inc.’s Google is among the companies using HE technology, in part.
Understanding the big picture and acting accordingly is a tried-and-true path to success in countless endeavors inside and outside of business. Most businesses embrace this ideology in the fundamentals of research and development, production and marketing. It’s time they expanded their scope to include cybersecurity.