Stefano Ciminelli, Executive Director, EY, writes why cybersecurity is a mindset rather than an activity.
“How can I add security?” Until a decade ago, it was quite normal for executives to ask this sort of question. At that time, security was often thought of as a bunch of hardware appliances (firewalls, routers, etc.). It was considered as yet another line in the yearly budget, a cost of doing business – something to keep auditors satisfied.
The landscape has totally changed since then. Security is now commonly known as cybersecurity, and cyber attacks are making the headlines in newspapers every day. As a result, cybersecurity risks are at the top of the C-suites agenda. Even governments and regulators are building cybersecurity capabilities – in some cases, not only to protect and oversee, but also as a means to attack and defeat.
However, even in this new landscape, there are still executives who believe that security is something that can be “plugged into” the organization. Let’s be clear – security is not an app. It’s not something that can be purchased, downloaded, installed on your phone and then you are all set up. Security is a process; it is about adopting the right risk culture – and having access to security resources should encourage organizations to stop doing security and start doing business securely.
In this cyber world, CIOs are in a good position to push for change – transforming security from just a function in the organization to something actually embedded across all existing organizational processes. Here are two questions for organizations to consider:
Question 1: Are you protecting your confidential data?
Looking at the hundreds of publicly disclosed data breaches in 2015 and before, common themes can be identified:
- A significant amount of data poorly protected
- Poor security awareness through employees
- A general lack of response and recovery capabilities in a timely manner
The combination of these three factors often results in a worst case scenario, regardless of how much the organization has invested in other security controls.
Many organizations apply some level of security controls around their CRM platform (Identify Access Management, security system hardening, etc.). However, some of the same organizations also allow employees to export data in bulk (e.g., the full list of customers in a specific business line, with their financial statements and other sensitive data). Unfortunately, those employees may send the exported Excel file to their private email address, upload it to the cloud or even print it out to work on it while commuting back home by train – and lose the precious documents.
So CIOs should think how to stop adding layers over layers of security controls and start focusing on protecting confidential data end to end (starting with security awareness for employees).
Question 2: What’s most important for you – being compliant or being secure?
Eventually, in the security industry, we ended up in a paradox: security controls actually became part of the problem. For example, today, it is unthinkable to provide employees with a laptop without antivirus software installed, or leave a corporate network without a firewall.
However, when an attacker wants to get into an organization’s network, one of the easiest ways is to exploit outdated security software, such as antivirus programs or badly configured firewalls.
Why and how did this happen? Often organizations focus on being compliant with regulations, best practices, standards, certifications requirements, etc. – rather than keeping a strong security posture. They end up deploying a significant number of tools that are hard to maintain. And this is not a technical problem, but a security culture problem.
CIOs can help by embedding the security into the end-to-end organizational processes. Security is not an app, but a process. So organizations should stop doing security and start doing business securely.