Why Corporate Security Fails – A Focus on Leadership
It looks like 2016 is set to be the year when Information Security gets serious. This year is predicted to break records in terms of investment in cybersecurity measures, with organizations predicted to allocate nearly nine percent of their entire IT budget to security. According to the SANS Institute’s IT Security Spending Report, the protection of sensitive information and regulatory compliance are the two most important driving forces behind this increase in security spending.
Great news for cybersecurity product vendors, but with history telling us that reported breaches and losses from cyber-attacks are still increasing just as quickly, despite previous year on year growth in IT Security budgets, just what is going wrong with Corporate Cybersecurity? Here, we look at how cybersecurity technology is marketed and the recurring disconnect between product investment and incremental improvements in information security effectiveness.
Whose Job Is Cybersecurity Anyway?
For too many organizations, cybersecurity is seen as the sole responsibility of the company’s CIO or CISO, when the reality is that everyone now needs a sound appreciation of cybersecurity best practices. From senior executives to general staff, every employee should maintain security hygiene that has the company and its customers’ best interests in mind. Not holding accountability for securing sensitive data will not help protect an organizations valuable assets, but this trend has become all too common within information security roles. Those within the leadership setting have become too worried about dodging the responsibility associated with securing information, and need to learn to involve and train their employees on best security practices. Whether that be with intensive training and education or by implementing security solutions that will help mitigate the problems from happening, it all starts with strong leadership.
Providing employees with an effective awareness program and regularly reminding them about the significance and responsibility they have to secure this information is something that needs to be mandatory amongst security leadership. Cybersecurity is closely tied to customer loyalty and trust, and if not taken seriously, can leave customers looking elsewhere and do significant damage to your brand’s reputation. Having a leader who will talk to employees about business risks as an implication of a cyber issue will help lead to effective change in the work place. This will also show employees that security is just not an IT issue, and instead everyone’s issue. In fact, being cyber resilient can even be seen as a competitive advantage and a means of staying ahead of the competition. If a potential customer has the option to side with a company who sees cybersecurity as a priority and a company who sees cybersecurity as an unmanageable task, who do you think they would choose?
Avoiding the Blame
The “revolving door” of security leadership plays its part too. Classic scenario: experienced security professional joins an organization, implements their personal-preference security solutions. But once they’re no longer with the organization, no one is trained on how to correctly manage the software, leaving organizations vulnerable to attack and with their budget poorly spent.
The market and the vendor community could do more to help too. The market is typically too adversarial with vendors competing for a finite security budget – sometimes at the expense of the customer, who ends up with a top-heavy product portfolio. A balanced, comprehensive product portfolio that underpins the full range of security best practices is a better approach than say, trying to use a high-end SIEM solution beyond its capabilities.
While budgets on information security defenses are predicted to rise this year, simply throwing money to meet regulatory requirements does not secure an organization by any means. The record shows that organizations have been investing record amounts of money in cyber security solutions, yet the number of security-related incidents seems to be increasing. While this increase in funds indicates information security is finally gaining the attention it deserves, spending effectively needs to be at the forefront of every organization regardless of size. If high spending levels are reaping low levels of success, organizations must evaluate whether they need new security defenses or better education for their staff to address their organization’s needs.
Effective spending is going to require organizations to focus on finding resources that will protect the business where it’s most vulnerable, and to not focus on buying the latest “must have” products on the market.
Creating a Cybersecurity Mindset
To that end, cybersecurity is a 24/7 discipline and requires a combination of technology measures, procedures and working practices to maintain solid defenses. And it’s precisely for this reason that organizations will continue to get breached unless a cybersecurity mindset becomes second nature for all employees. Keeping the message of security in the forefront of your employees will help instill the seriousness and benefits of maintaining an effective corporate cybersecurity program. Employees must not only be aware of these policies and procedures, but should also be well versed and trained on how to respond to a cybersecurity incident.
Cybersecurity takes many different forms and the range and nature of today’s threats are so sophisticated that it often seems like quite a daunting task for corporations to undertake. From capturing and defeating APTs, stopping phishing attacks and malware, to insider threats and hacktivism, the scope of cyber threats corporations’ face is overwhelming and can leave employees to wonder where do we even start?
While there may be no such thing as 100-percent security, implementing layered and 360-degree disciple can help instigate and then maintain security. By increasing funding in the realm of information security, organizations will improve their cybersecurity and cyber readiness, so long as organizations focus on getting the security fundamentals right and to not chase the newest “must have” product.