Why corporate security fails - A focus on leadership
Mark Kedgley looks at how cyber-security technology is marketed and the recurring disconnect between product investment and incremental improvements in information security effectiveness.
Mark Kedgley, CTO, New Net Technologies (NNT)
It looks like 2016 is set to be the year when Information Security gets serious. This year is predicted to break records in terms of investment in cyber-security measures, with organisations predicted to allocate nearly nine percent of their entire IT budget to security.
Great news for cyber-security product vendors (!), but with history telling us that reported breaches and losses from cyber-attacks are still increasing just as quickly; just what is going wrong with corporate cyber-security?
Whose job is cyber-security anyway?
For too many organisations, cyber-security is seen as the sole responsibility of the company CIO or CISO, when the reality is that everyone now needs a sound appreciation of cyber-security best-practices. Not holding accountability for securing sensitive data will not help protect an organisation's valuable assets, but this trend has become all too common within information security roles. Whether that be with intensive training and education or by implementing security solutions that will help mitigate the problems from happening, it all starts with strong leadership.
Cyber-security is closely tied to customer loyalty and trust, and if not taken seriously, can leave customers looking elsewhere and do significant damage to your brand's reputation. Having a leader who will talk to employees about business risks as an implication of a cyber issue will help lead to effective change in the work place. In fact, being cyber-resilient can even be seen as a competitive advantage and a means of staying ahead of the competition. If a potential customer has the option to side with a company who sees cyber-security as a priority and a company who sees cyber-security as an unmanageable task, who do you think they would choose?
Avoiding the blame
The ‘revolving door' of security leadership plays its part, too. Classic scenario: experienced security professional joins an organisation, implements their personal-preference security solutions. But once they're no longer with the organisation, no one is trained on how to correctly manage the software, leaving organisations vulnerable to attack and with their budget poorly spent.
The market and vendor community could do more to help, too. The market is typically too adversarial with vendors competing for a finite security budget, sometimes at the expense of the customer who ends up with a top-heavy product portfolio.
While budgets on information security defences are predicted to rise this year, simply throwing money to meet regulatory requirements doesn't secure an organisation by any means. The record shows that organisations have been investing record amounts of money in cyber-security solutions, yet the number of security-related incidents seems to be increasing. While this increase in funds indicates information security is finally gaining the attention it deserves, spending effectively needs to be at the forefront of every organisation regardless of size. If high spending levels are reaping low levels of success, organisations must evaluate whether they need new security defences or better educate their staff to address their organisation's needs.
Creating a cyber-security mindset
To that end, cyber-security is a 24/7 discipline and requires a combination of technology measures, procedures and working practices to maintain solid defences. And it's precisely for this reason that organisations will continue to get breached unless a cyber-security mindset becomes second nature for all employees. Keeping the message of security in the forefront of your employees will help instill the seriousness and benefits of maintaining an effective corporate cyber-security programme.
Cyber-security takes many different forms and the range and nature of today's threats are so sophisticated that it often seems like quite a daunting task for corporations to undertake. From capturing and defeating APTs, stopping phishing attacks, to insider threats and hacktivism, the scope of cyber-threats corporations' face is overwhelming and can leave employees to wonder where do we even start?
While there may be no such thing as 100 percent security, implementing layered and 360 degree disciple can help instigate and then maintain security. By increasing funding in the realm of information security, organisations will improve their cyber-security and cyber-readiness, so long as organisations focus on getting the security fundamentals right and to not chase the newest ‘must have' product.
Contributed by Mark Kedgley, CTO, New Net Technologies (NNT)