Organisations have had their work cut out for them over the last 18 months when it comes to managing cyber security and risk.
According to Gartner, the increase in virtual activities such as remote work and online shopping have been a breeding ground for cybercrime, as organisations struggle to build the expertise and foster the right ‘security culture’ to keep up.
To address these gaps, businesses must shift the way they’re thinking about security culture, from directives that are strictly enforced to something that’s nurtured within the fabric of the business.
Security can no longer operate in isolation and as a siloed function of the IT department. Fundamentally, it needs to be embedded in everything that an organisation does and be strategically aligned to business objectives and the priorities of the board.
To be successful in the modern era, organisations must combine these two sometimes opposing viewpoints to form a common framework across all security practices, which we call a cyber business risk framework.
This blends the most important aspects of a successful security function, allowing them to scale their business without having to worry about maintaining security and compliance standards.
This is the second of four trends that we’ll be discussing as part of this article series, in partnership with AustCham Singapore.
In the last piece, we discussed why organisations aren’t letting go of their on-premise workloads and outlined how these footprints are becoming aligned with robust hybrid cloud strategies.
Building on those concepts, it’s important that organisations secure their diverse IT environments end-to-end with a security approach that prioritises what’s most important from a business perspective.
Blending two different approaches
It’s comforting to see that security is increasingly becoming a board-level priority. According to a Telstra study, 39 per cent of the C-suite now recognise security as a top priority. However, in the Asian market, as all over the globe, there is a fundamental disconnect between how the board and security professionals view risk.
Boards view security within the business context, associating it with a tangible, often financial risk and insuring against that. On the other hand, technologists often assess technical risk in a broad sense across the entire business, looking at total level of exposure.
The fundamental problem with this is that technical security risk may not represent a sizable risk in a business context, and vice versa.
The solution is to amalgamate business risk with security risk to give you a complete picture of total cyber business risk. This essentially involves looking across the business to understand what’s most important from a strategic perspective and use that as a baseline for measurement.
This starts with assessing which business functions are most valuable, and what the financial and reputational loss would be if the infrastructure supporting those functions went down or if data was lost.
This allows organisations to define key services and infrastructure as technology functions and apply a security measurement to it that’s relative to that importance.
The ultimate result is the merging of cyber risk with business exposure, which frames the importance of critical systems within the context of their financial value, as a concrete number. This tends to resonate with board members more effectively than broad approaches to protecting infrastructure.
A big gamechanger for the industry
Blending the visions of business heads and technologists into one core security approach allows organisations to embed best-practice into everything they do.
It reconfigures the core value of security away from being a cost-centre, to how it enables the business. This means ROI can be determined more succinctly based on how security investments made today can prevent the cost of a breach in the future.
Creating a central approach changes what is required to be effective in security roles. It's no longer about being a great technologist; it’s about thinking about things as a business analyst, and understanding risk from that perspective to formulate the right approach.
The security industry is adapting to the evolving and sophisticated threat landscape and practitioners must adapt with it. The core characteristic of a modern security professional is being able to operate in this hybrid kind of way, blending business objectives with security best-practice.
Rather than plugging in tools and adapting culture to cater for security, it’s about embedding security into the existing culture of the business. This is the way the industry is heading and organisations that only focus on security tooling are likely to experience greater hardship going forward.
This is particularly important considering the increased complexity of IT environments, following huge investments in digital transformation over the last 18 months, as organisations bolstered their edge and cloud profiles.
In our next article, we’ll assess the other complexities around this increased investment, including the momentum behind cloud and edge adoption, and how organisations are aligning these two types of infrastructure in 2021.
If you’d like more information on how to embed security into your business culture, you can contact us here.
This article is part of a 5-part series, first appearing on the Australian Chamber of Singapore’s weekly newsletter in August 2021. Look out for the next upcoming articles on:
Article 3 - Cyber Business Risk is the next Frontier