Security is not an app – it’s a process

Stefano Ciminelli Stefano Ciminelli, Executive Director, EY, writes why cybersecurity is a mindset rather than an activity.

“How can I add security?” Until a decade ago, it was quite normal for executives to ask this sort of question. At that time, security was often thought of as a bunch of hardware appliances (firewalls, routers, etc.). It was considered as yet another line in the yearly budget, a cost of doing business – something to keep auditors satisfied.

The landscape has totally changed since then. Security is now commonly known as cybersecurity, and cyber attacks are making the headlines in newspapers every day. As a result, cybersecurity risks are at the top of the C-suites agenda. Even governments and regulators are building cybersecurity capabilities – in some cases, not only to protect and oversee, but also as a means to attack and defeat.

However, even in this new landscape, there are still executives who believe that security is something that can be “plugged into” the organization. Let’s be clear – security is not an app. It’s not something that can be purchased, downloaded, installed on your phone and then you are all set up. Security is a process; it is about adopting the right risk culture – and having access to security resources should encourage organizations to stop doing security and start doing business securely.

In this cyber world, CIOs are in a good position to push for change – transforming security from just a function in the organization to something actually embedded across all existing organizational processes. Here are two questions for organizations to consider:

Question 1: Are you protecting your confidential data?

Looking at the hundreds of publicly disclosed data breaches in 2015 and before, common themes can be identified:

  • A significant amount of data poorly protected
  • Poor security awareness through employees
  • A general lack of response and recovery capabilities in a timely manner

The combination of these three factors often results in a worst case scenario, regardless of how much the organization has invested in other security controls.

Many organizations apply some level of security controls around their CRM platform (Identify Access Management, security system hardening, etc.). However, some of the same organizations also allow employees to export data in bulk (e.g., the full list of customers in a specific business line, with their financial statements and other sensitive data). Unfortunately, those employees may send the exported Excel file to their private email address, upload it to the cloud or even print it out to work on it while commuting back home by train – and lose the precious documents.

So CIOs should think how to stop adding layers over layers of security controls and start focusing on protecting confidential data end to end (starting with security awareness for employees).

Question 2: What’s most important for you – being compliant or being secure?

Eventually, in the security industry, we ended up in a paradox: security controls actually became part of the problem. For example, today, it is unthinkable to provide employees with a laptop without antivirus software installed, or leave a corporate network without a firewall.

However, when an attacker wants to get into an organization’s network, one of the easiest ways is to exploit outdated security software, such as antivirus programs or badly configured firewalls.

Why and how did this happen? Often organizations focus on being compliant with regulations, best practices, standards, certifications requirements, etc. – rather than keeping a strong security posture. They end up deploying a significant number of tools that are hard to maintain. And this is not a technical problem, but a security culture problem.

CIOs can help by embedding the security into the end-to-end organizational processes. Security is not an app, but a process. So organizations should stop doing security and start doing business securely.

2 thoughts on “Security is not an app – it’s a process

  1. Hi Stefano, I absolutely agree with this vision. And if I can expand on one, of the three bullet points ” • A significant amount of data poorly protected”, this is indeed a serious but as well pretty common issue . Root causes are usually found in three main areas:
    – Insufficient training (for people who are in charge to protect the data) -Processes not designed with security in mind – Unclear (or at times too generic) communications on do’s and don’t. In my opinion the skillset (lack of training or qualification) is usually “the elephant in the room”. Those are the points where to focus first, for organizations who want to address the ” • A significant amount of data poorly protected” point.

    1. Hello,

      thanks for you comment, it makes sense indeed! Creating a security culture requires indeed a good level of training for people dealing with most sensitive information.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s