Cyber Security: Beyond a Mere Operational Approach
The post-COVID winners will be those who treat it strategically now
C-level executives must stop looking at cybersecurity as a mere operational matter: Something which is below them and is dealt with somewhere below them in the organisation. It is the type of mental attitude which is has led to twenty years of maturity stagnation in real terms across the security industry, in spite of the billions spent with tech vendors.
Talking about industry stagnation is a way of highlighting that the security industry keeps going round in circles and that topics – such as the timely deployment of security patches for example – keep coming back regularly towards the top of the agenda, although they have been known – and could have been addressed – for more than a decade.
But as a matter of fact, the situation is getting worse, and firms – large and small – have been facing a non-stop tidal wave of cyber attacks over the past few years in spite of the proliferation of tech products in that space.
Fundamentally, pure operational approaches to cyber security have failed. They have not managed to keep in phase with the digital transformation of many businesses, the emergence of cloud solutions and the de-perimeterization of the enterprise. They have fallen victim to adverse prioritization and internal politics in many large firms or have not been able to focus beyond illusory quick wins.
In fact, taking a pure operational approach to cyber security fails because it downgrades a complex matter and negates its true dimension. It is not – and has never been – a purely technical problem. The protection of the enterprise – by its employees – against external threats is rooted in corporate values and management practices. And that’s where the solution should start.
Good and clear governance must be in place around cyber security and be visible up to the top. This must now be a Board matter in the face of non-stop cyber-attacks, and it must be visibly owned by a Board member.
It is also a transversal problem, and not just a technical one. Business units and support functions must be directly involved in any cyber security programme of work, not just IT.
There will be no magical or instant solution where cyber security maturity levels are low. Improvement will require transformative work at a number of levels across the enterprise and probably over the mid to long-term.
The current situation around COVID-19 makes the message ever harder to accept, as uncertainty dominates, budgets tighten and priorities have to be set ruthlessly. But the hard realities around cyber security remain the same. And buying some tech silver bullet is not likely to solve it for you, in spite of what countless vendors would like you to believe.
At the same time, maintaining good cyber security has never been more essential, as the digital transformation accelerates and the economy at large shifts towards operating models which present much broader attack surfaces to cyber threats and are – effectively – entirely dependent on secure and stable practices.
Post-COVID, concerns will return of regulatory and legal friction around the security of personal data, and the corporate resilience to cyber-attacks. Privacy concerns have not disappeared during the lockdown. In fact, the debate around the introduction of tracing apps in some western countries has highlighted the vitality of the topic and it is likely – going forward – that citizens and customers will demand a greater sense of purpose from businesses and greater respect for their personal data.
Good cyber security – and data privacy – practices are essential pillars supporting digital trust, and digital trust will be the cornerstone of the post-COVID “new normal”.
Now is the time to treat cyber security strategically – not tactically – and to embed it into your culture – not just your technology or your operations.
The post-COVID winners will be those who seize the moment.