Imagine yourself running on a treadmill that keeps speeding up. Not only can you not move forward, but you begin to slide backward and fall behind. This scenario depicts the challenge faced by many of today’s cybersecurity teams.
If this sounds a bit dramatic, imagine security professionals ‘running’ to keep up with current threats. They must also speed up to deal with criminals who constantly ‘up their game,’ regulators who demand greater safeguards, and consumers whose rising expectations could make or break a company’s digital brand. And, with continuous technology innovation creating new exposures, the runner must be mindful of emerging threats to ‘information confidentiality,’ ‘system availability’ and ‘data integrity.’
Fortunately, cybersecurity teams are learning to run faster and smarter, by re-thinking the treadmill, their customers, attackers, and the race itself.
Beware of hazards on the race course:
There are many reasons that the Chief Information Security Officer (CISO) job is expanding from the classic role of “guarding the company’s perimeter walls” to dueling sophisticated cyber criminals, advising on digital strategy governance, and mitigating risks for all company stakeholders.
Although these trends are not developing at an equal pace everywhere, increasing privacy regulation is a factor. Particularly in Europe and North America, we see more political attention paid to the aggregation of consumer data, prompting governments to become guardians of citizen rights through stringent privacy laws. This political agenda is a response to both consumers’ embrace of digital services - which creates vast repositories of personal data - and the public’s dawning realization that popular technologies could also threaten their privacy and security.
Regulatory interest is also stoked by the fact that innovative technologies, such as cloud services, create an increasingly integrated and inter-dependent ecosystem of companies, technology partners and third-party suppliers. This is driving governments to closely examine companies’ operational resilience to technology risks.
Another factor adding pressure to the CISO is the recognition by companies that ‘digital trust’ is a precious resource and increasingly at the heart of a company’s brand. As organizations undergo digital transformation - and shift their business models to more online and data-driven services - they must build and preserve trust among their publics that they can reliably deliver their services and protect customer interests.
With business models that now hinge on trust, company executives are beginning to appreciate the immense reputational, financial and legal risks they face if their customers, their data or their operations are interrupted by cybercrime.
And of course, just as boards appreciate these ‘risks’, sophisticated organized crime groups are spotting the ‘opportunities.’ By rapidly adapting new world technology to scale age old world crimes, including robbery, fraud, blackmail and business disruption, they are formidable opponents, dedicated to making money from new digital vulnerabilities of companies and customers.
Cybersecurity evolves with new demands:
With all this going on, the analogy of the runner on the treadmill is fitting. However, we now also see many organizations that recognize the importance of evolving the way they protect themselves, their business models, and their entire digital ecosystem. Here are a few trends:
- Re-establish balance to CIA triangle: Cybersecurity is often described in terms of the three-sided Confidentiality, Integrity and Availability triad. However, it could be argued that in the past, companies had devoted a disproportionate share of resources to confidentiality of customer data, due to its high profile with regulators and the public.
Today, companies are appreciating the need to dedicate greater attention to ‘Availability,’ including safeguards to prevent or minimize service disruption from a cyber threat. This is the result of the spike in cybercrime designed not to steal customer data, but rather shut down or sabotage a company’s service channels or operations. That’s good old-fashioned extortion done digitally.
And going forward, security teams must focus much more on ‘Integrity,’ to ensure the underlying data used by companies for decision-making and service provision does not become corrupted by a cyber-attack, causing long-term harm to the organization. The loss of data integrity is likely to cause substantial damage to businesses, which use machine learning and artificial intelligence technologies extensively for decision making. While some companies are moving forward with digital transformation without fully appreciating these emerging risks, others are embedding security discussions up-front into design through an agile development approach.
- Rethinking the CISO mandate: In light of such interconnected issues, some organizations are reviewing the mandates and reporting relationships of their CISOs to ensure better linkages between teams that typically address confidentiality, availability and integrity matters in isolation. For example, while many CISOs operate within the IT division, others report into company Risk functions, with a broader risk management focus. Increasingly, CISOs are entering the sphere of Chief Digital Officers or Chief Data Officers, who often have greater ability to address integrity issues that cross silos, departments and business lines.
In this new world, CISOs may be domiciled at the enterprise level, but build strong relationships across business lines, working closely with a federation of local business security officers who translate corporate policies to meet local business needs. By doing so, the security group can become enablers, rather than blockers, of innovation by the business or marketing groups. By redefining and refining the CISO position, they can be better placed to face the unfolding challenges, from the increasing regulatory responsibilities to key advisor on organizational security.
- Put the customer first: Since digital trust has become a crucial, albeit intangible, corporate asset, security functions must adjust their mindset from being primarily protectors of enterprise interests to also become champions of the interests of the customer. This is a big change from the past when the business lines or customer channels developed new customer-friendly products and services, security teams imposed limitations to reduce organizational risk, and customer concerns were typically advocated by the privacy, regulatory or fraud investigation departments.
Increasingly, the security group may assume ownership of customer security and digital trust issues to ensure they don’t fall through the cracks. To do so, they must become involved in the development of the customer journey across their organization. This will enable them to recognize points of security weakness, create a comprehensive risks map, and also look for opportunities to add competitive value for the customer.
In many cases, the security group may become an important party in customer communications to build and shape digital trust with constituents. We are now seeing security functions that help guide customer education or awareness programs. They possess the in-depth understanding of the issues, to ensure that communications are adequate. They also appreciate the danger of overstepping with excess assurance or guarantees, which could inadvertently dare attackers and disappoint customers if safeguards fail.
- And finally, prevention is important, but… I’ve mentioned previously how today’s c-suite leaders have wisely embraced the need to invest in cybersecurity, making cyber risk one of their top priorities. However, the next step is ensuring that they understand that resources must be balanced across both on prevention and response. I remind my clients that, while intensive measures to prevent a cyber breach are essential, sooner or later, some cyber incident will occur. Thus, your company’s ability to respond quickly, stem the threat, reassure customers, resume business as usual, and rebuild digital trust will be critical.
These are not easy messages for executives to hear, particularly when you are told that everything you did yesterday is barely enough to keep up with today, and it will certainly not be enough by tomorrow. But take heart in the fact that the race is not futile. By carefully reconsidering exactly who, what, how - and for whom - cybersecurity performs its duties, we can ensure that the dedicated runner keeps a healthy pace on that constant treadmill.