Reasonable Endeavour – A Modern CSO’s Guide to Securing your Organization
Organizational security comes in many forms. From locking the doors and windows of your offices through to protecting the customer data residing in your servers; any breach, whether physical or virtual, can have a devastating impact on the organization.
Even more concerning, in the last few years, is that security demands have become more complex than ever before as organizations become more global, use more devices, and rely more heavily on data. Securing today’s modern enterprises – famed for being flexible, dynamic and fast-moving – is a real challenge for even the most tech-savvy Chief Security Officer (CSO).
As recently as five years ago, security was a very different beast with CSOs essentially treating the company network as a centralised fortress. Then, following a huge boom in the number of devices being used, infrastructure became a more complex proposition. No longer could the organization’s network be walled off behind a single perimeter. Traffic from both personal and business devices increased exponentially, boundaries became diffuse and IT environments were set up to facilitate performance, availability and reliability.
It is only now that we’re all starting to see that the emphasis on ‘fortification’ was a serious mistake.
With multiple devices running in and out of the network, the ‘hard perimeter’ approach became ineffective. Users and their devices became the primary weak-points, and cybercriminals now target staff with a variety of methods – from phishing scams to Trojan horse attacks – to bypass an organization’s outer defences, break through the perimeter and run amok, unchecked, within its infrastructure.
With these worries in mind, security has switched its focus from network perimeter protection to device and data protection. After all, our phones, laptops and tablets can be used as a stepping-stone to our data and although the devices can always be replaced; the data, however, is critical to the way today’s organizations operate.
A Modern Approach
Moreover, while the CSO and their team were traditionally known as strict and near draconian in their application of security, many are now throwing out the rule book and tearing up stringent policies. The rapid pace of technology means that everything moves much faster. Attempting to draft rules is a fool’s errand: you’re always a couple of steps behind with rules either so generic as to be obvious or so niche and strict that they will quickly become outdated.
Instead, CSOs now rely on common sense, and a more realistic understanding of how technology is being used and the ways in which the organization will use it. With the new, fluid and adaptable approach, if you find a ‘rule’ is being persistently broken, then instead of attempting shutting down any security loopholes or application functions, it’s better to try and incorporate it into official security strategy. CSOs should work with the business and ensure that they can ‘break’ the rules in a safe and secure way to facilitate or even drive innovation.
When it comes to security, there is no way of guaranteeing 100 per cent safety. Instead, CSOs must apply the principle of Reasonable Endeavour – working side by side with the business in doing everything within their power to avoid a breach, and react effectively should one occur. CSOs are expected to understand the value of data and know exactly what is legally required; to have undertaken due diligence on all data within the organisation’s care; and have in place the steps needed to guide business management to take the necessary actions in order to successfully contain any breach, alert affected parties and secure the remainder of the system.
Controversially, I’d suggest that today’s CSOs now may want to consider operating with a limited ‘security’ budget, or even without any direct budget. Responsibility for security and data protection should be embedded in the whole organisation, and by encouraging departments to control their own security budget – while working closely with the CSO – organizations can engender a sense of shared accountability and community when it comes to provisioning for security. The CSO can take on a sheriff’s role, moving between departments to share best practice and offer advice, rather than acting as a prison guard and attempting the impossible task of keeping a dynamic and ever-changing organization on lockdown.
Today, resilience and agility are vital components in developing a security strategy. The landscape of cyber threats has broadened significantly – and is only set to grow as we increase our reliance on technology and data. The CSO must be as adaptable as their business, as fast as the competition, and as forward-thinking as the hackers.