Many organisations tend to see security as a technology issue rather than a business issue and, as a result, the right questions are often not asked about resilient cybersecurity defences.
To effectively manage risk means having the right governance in place, with effective supporting processes and the right enabling technology. It should never start with the technology. The common misconception is that an organisation will be safe if it invests in the best of class technology or increasingly a broader platform. While it’s important for any business to integrate security technology into its IT architecture, it will only be effective if the end users understand their own responsibilities to keep their systems safe. And that’s more about changing the culture of the organisation and educating employees than spending money on another tool. This is evidenced by research from Aberdeen Group, which estimates that 65% of all data loss is down to human error.
A first step towards de-mystifying security and protecting an organisation against potential threats is to fully understand the risk exposure across all areas of the business. There’s a growing global shortage of cybersecurity skills so, if in-house skills are lacking, they should take expert advice and consider a comprehensive evaluation of the company. This will highlight areas of risk, make recommendations, prioritise actions and help an organisation build a strategic roadmap for continuous risk management. A full assessment would highlight gaps in the IT security armour, highlight the risks associated with a contractor workforce and flag the critical areas that need immediate attention. Furthermore, an evaluation summary would give a timeline for carrying out any remedial actions required and the ability for the board to track and approve progress in mitigating risk.
It’s important to note though, that no two organisations are the same and information security is never done. It’s a continuous cycle to support continuous improvements, and the starting point depends very much on where a business sits in terms of its security maturity.
While there has never been more choice in security technology, which clearly benefits the industry as a whole, businesses need to avoid unnecessary complexity and take a more focused approach to cyber protection. Technology alone won’t resolve a skills shortage, ransomware requires education and awareness, and platforms have to be comprehensive and managed effectively to benefit the organisation. Too often technology is seen as the silver bullet but, if a business makes ill-advised choices and doesn’t take enough care with configuration and management, technology will not be the business enabler that it should be.