Detection is not enough for today’s complex cyber threats
When some 500 years ago, Leonardo Da Vinci wrote –‘realize that everything connects to everything else’, he was probably making some sort of metaphysical point; but increasingly today, in the digital world it is almost becoming a statement of fact.
A connected world challenges security
As we strive for greater efficiencies and to exploit advances in technology, often this involves expanding the range of our ‘connectivity’ – adding new customers, new suppliers, data feeds for Big Data Analytics, using social media; changing the way we obtain IT capability, with commodity pricing, cloud services and striving for ‘digital transformation’. We want mobility in our working lives and we want to bring our own devices to work. What is all that doing to the inherent security of the information systems we already had?
There is a need for a holistic approach to cyber security, and an understanding that almost any change requires us to think about what collateral implications that might have for the entire infrastructure. We need to plan, monitor, respond and recover from whatever the connected world throws at us - protecting not just the information systems, but the business processes it underpins.
But we have been there before – in the 1970s and 80s when architects were designing buildings, housing estates and whole communities that were beautiful to look at but inherently flawed as a secure environment to live or to work in – leading to the development of the concepts of ‘Secure by Design’ and the crucial role people must play in making security effective, which now determine the balance between aesthetics and security. We should consider what lessons can be learned from that process.
Information Security is a critical business enabler
Information Security should be viewed as a critical business enabler, bringing clear value and benefits, rather than an overhead to be tolerated. It must be appropriately targeted to manage risk effectively, allowing you to understand and manage the residual risks. It is not how much you invest but how well you invest it.
Of course, there will always be a very small percentage of threats that organisations are not able to protect their businesses against, as the cost to do so would be extraordinarily high. Therefore, they must strike a balance to ensure they’re making investment in the right areas of security to remain in control of the business without breaking the bank.
New market opportunities, new ways of working and new risks
The digital era is something of a double-edged sword: there is a constant dynamic between new market opportunities, new ways of working and new risks that emerge as a consequence. Together, those opportunities and the evolving risk landscape need to be managed to give a complete overview of the business operations. If we introduce new ways of working then we also need to have a good understanding of the potential new risks we are opening ourselves up to. By doing this, we can take steps to mitigate against it.
Security policies aligned to new situations
So organisations are required to constantly adapt to these new situations – to maintain a competitive advantage but also, to answer to the regulators. Understanding what the regulatory landscape means from a security perspective enables enterprises to prove that their businesses are taking the correct measures, building trust with their customers in return. Ensuring their Information Security policies always stay aligned with the new situations will enable them to harvest all the benefits of the digital era and run their businesses much more effectively.