You can no longer afford to off-load cybersecurity responsibility onto the IT department, security must be driven by the business from the top down.
The term cybersecurity has become known globally in light of some of the major breaches, perhaps the best example of this was the recent WannaCry ransomware attack that had an effect on the world globally, and subsequently gained global media coverage.
Awareness in the wider world is beginning to grow, but awareness is also growing within the business world. You could easily think that C-suite executives and the board would always have had a strong interest and understanding in cybersecurity, but it is not always the case.
Not only has there been some oversight from the higher echelons in business, but the focus has been narrow enough that the problem of security has been swept under the IT rug from all angles, expecting them to stand alone before the tidal wave with their expertise to defend the organisation.
Cybersecurity is now all encompassing in business, and now that the days of shields and shells around businesses are coming to an end, at least with regards to the belief that these will keep your business totally safe, security must be a priority for everyone in the businesses. CBR spoke to the President of RSA, Rohit Ghai, and the Vice President of EMEA Jonathan Gill to ascertain the importance of business-driven security.
“The world has changed, it is a new world, the first aspect is that it is a digital world where the physical and the digital are blending in, this means there is no perimeter, users are everywhere. You expect to have access to your data and your assets from anywhere, so users are everywhere, applications and technologies are everywhere, it is on the ground, in the sky, in the cloud.” Mr Ghai told CBR.
Not only is data much harder to keep track of with it moving so freely and in such massive quantities, the consumer is eager for ever greater freedom with their data, and especially the ability to access it anywhere, at any time.
Mr Ghai explained the pressure companies are under to deliver on the requests of the customer, and it is coming from different angles, further amplifying the problem.
He said: “The second aspect is that there are different expectations of the new world, which means consumers want all the convenience, they want frictionless access, and yet they are very demanding now, and very aware now of their data and are demanding of the organisations that are custodians of that data to care for it, to secure it, and to ensure privacy.
“So there are new expectations from consumers, they are more demanding, more aware, and less tolerant, and finally, it is a new threat landscape as well, there are more bad guys than before, they are getting better every day, and they have access to the same technology that the good guys do.”
Jonathan Gill, Vice President of RSA EMEA was in agreement, he said: “The public want less and less friction, ‘don’t get in my way, even though I know the consequences of all these breaches, I want my life to be easier’ – so you’ve got IT fighting a fight they cannot win, in terms of the limited resources and the budget costs and the growing threat landscape.”
Many cybersecurity vendors are working towards leveraging cutting edge technologies such as artificial intelligence (AI) to handle this onslaught that is multiplying in size and severity, but Mr Ghai outlined this approach, and why it cannot be the whole solution.
Mr Ghai said: “In the industry people are saying we need more and more advanced technology to come to play because it is a lopsided equation, more bad guys than good guys. But we believe that is not sufficient, bad guys have all the same technology as the good guys do, so just throwing technology at the problem isn’t going to cut it.”
Having cohesion within an organisation reduces the pressure on the IT team, spreading the weight of the issue throughout the business.
“So you need something else, and that something else in our point of view is something we call business-driven security, which is to take the advantage that the good guys have, and what is that? We understand out business context. We know what is more important versus what is less important, and that is RSA’s mission, to enable business-driven security.”
It seems that automation and machine learning will prove crucial in helping IT professionals and analysts to handle more menial tasks that weigh them down, but having greater understanding across the business will streamline the general approach to cybersecurity, making defences more formidable.
Mr Ghai said: “You need to apply business context to your security posture that is what we mean by business-driven security, it is the notion of managing security with the lens of business risk.”
In summary of the benefits of this new approach to security, Mr Ghai outlines the way in which the RSA approach differs from the hordes of other vendors in the industry today, of which there are around 1,500 offering defensive plans.
“It is helpful in two ways, it helps you focus and prioritise what is more important. It also helps the security organisations communicate in the language that the board of directors and the C-suite can understand… that is what RSA is about, we have a rich product portfolio, but how we are different compared to other vendors is because we are not taking a technology approach, we are taking a business oriented approach and a risk oriented approach.” Mr Ghai said.
A major trend of the last decade in cybersecurity has been the shift from a business being like a medieval settlement, with all of its valuable assets safely contained within hopefully impenetrable walls. This huge structural change has resulted in the high profile breaches that reach the news today.
Jonathan Gill, Vice President of RSA EMEA sketched out the situation, and why the new dynamic has brought about an urgent need for business-driven security.
“When I started in this role in security, selling, I could count the products on my fingers, and if a company was attacked, nobody knew about it, and they had walls. We would sell things where there were bricks and mortar, you could build higher walls, and if there was a gap in the wall you could close it, and if they built a door they would put an alarm on it, and it was manageable, you could put boxes around things.”
Now that breaches are so high profile, the risks for businesses are colossal, compared to a time when a security problem would remain behind closed doors. The nearing arrival of GDPR is set to apply a new level of pressure to businesses, enforcing regulation that aims to make businesses take care of data correctly, and disclose breaches publically.
Mr Gill said: “This invasion doesn’t happen in private anymore, and it has gone from being an irritant, where somebody might get in and steal something, but the data was not at the heart of the way the business was run, and now when there is a breach there is a chance of it being an extinction event, and that word was never used!”
The prospect of facing extinction is a prospect that forces executives and board members to want to understand and appreciate the organisation’s position on cybersecurity, and what measures are in place throughout.
Summing up the breadth of the task faced by IT professionals, Mr Gill said: “If you have got some computers with stuff on, and one is a core banking system and one is the lunchtime menu, and IT just sees them as assets, and it can’t defend all the assets, hey it might get to the lunch menu first.”
A recent survey from the Institute of Directors that was supported by Barclays found that almost half of UK businesses have no cybersecurity plan in place whatsoever, and a 2017 report on breaches from the government found that almost half had identified one or more breaches in the last year alone.
This does not include the number that do not know whether they have been breached or not, highlighting the problem in awareness and cohesion surrounding cybersecurity within organisations.
“The great news is both the business side and the technology side of the business have the same goals, a decade ago, the business team would simply ask the IT team and the security team, ‘make sure we are not in the headlines of the Wall Street Journal’. The bad news though is that they speak different languages, one side speaks Greek and the other side speaks Spanish, there is a gap, and what is needed is a set of solutions that bridge that gap, and that is where we come in.” Mr Ghai said.