IT security is a team effort. But it’s failing on several levels — from the industry as a whole to senior management, CISOs, and even consulting organizations. We focus way too much on problems but not solutions, disjointed investments not holistic strategies.
We need to change, and that means refocusing our efforts on supporting the business.
The speed of change
There’s an old analogy which equates effective cybersecurity to the brakes in a car. Why are the brakes there? Not to slow the car down, but to enable it to go faster, more safely. The same should be true of modern IT security departments. But unfortunately, it’s often not the case.
Society is hurtling faster and faster to a digital future, thanks to transformative technologies like AI, IoT, big data analytics, cloud and mobile. At a conservative estimate, over two-fifths of European companies have already begun digital transformation. But security is too often known as the “no” in innovation. It’s not supporting growth but blocking development.
This breakdown comes at several levels:
- As an industry we talk too much about technology and problems rather than solutions.
- We’ve historically put in place a patchwork of products and services rather than follow a unified strategy. We often plough money into the latest tech rather than consider what’s in the best interests of the business.
- Consulting firms too often say “yes” to keep the client happy, ignoring their primary responsibility: to offer constructive advice to achieve the best outcomes.
- Security leaders don’t have any influence at the board level. Security concerns will rarely stop production — the business imperative always wins.
- Awareness of security is low, especially at board level, which is a symptom of the above. NTT Security’s Management Hack service in EMEA has highlighted to us just how easy it is to dupe an executive.
From the top down
This is a story we need to change. But that requires behavioral changes. A big responsibility lies with the CISO. In the past, security bosses used to be focused pre-eminently on governance. Thankfully this is changing and modern CISOs are much more business driven, and focused on enabling a corporate-wide security-by-design culture. This is being driven in part by the GDPR, but it’s also vital to business success and long-term growth.
I’m optimistic of the future. Many of the new breed of CISOs I’ve spoken to have the right ideas. They can help build out a coherent security strategy to support business, which in turn will build greater awareness and gain the respect of the board, leading to more influence for the security function in the organization.
Policies, procedures and investments in point products don’t make you secure — no matter what the vendors promise you. Instead, there needs to be a shift in focus from a policy-driven to a business-driven approach. Time is running out. Digital transformation is happening with or without our input. It’s vital that it does so with complementary security built in from the start.
Failure doesn't mean the game is over, it means try again with experience. (Len Schlesinger)