Too many people in the worlds of business, government, and private life think of security as a technology issue; in reality, it’s a business problem, not unlike others and has to be dealt with in the same terms as other pressing matters that occupy the minds and energies of executives. This isn’t to say that technology plays no role, it clearly does. Instead, that a purely techno-centric view will lead all organizations astray.
Let’s begin by being clear that technology and security are no doubt interlinked. As organizations digitize and undergo what is termed “digital transformation,” they move more assets and processes into the world of technology; as such, they benefit from the opportunities offered by technology but also create increasing surface area from technology-borne attacks. The increase in both cyber-attacks and cyber-security spending indicate the degree to which this is true. The issue, however, is far deeper and wider than technology.
Security has as much to do with People and Process
On the people side, it is said that security is not just a “Silicon problem” but is also a “Carbon problem.” Not only are cyber-attackers burgeoning in number, but they’re motivations are increasingly complex, traversing economic, political, social, and other realms. Nor are all people threats external. In a good number of cases, internal people (employees, partners, contractors) commit both voluntary and involuntary acts that become major security issues. All organizations have to account for this in everything from hiring practices, to internal training, to connecting physical and logical security so that physical presence does not automatically connect to the ability to do harm.
On the process side, all organizations must create living, breathing plans to upgrade all processes (from operations to finance and all areas in between) to account for increasingly complex threat vectors. Plans that are built only to calcify are worse than no plans at all. As with technology, any process “monoculture” creates an easily decipherable signature and is therefore subject to attack more easily than dynamic and ever-moving processes.
Security must be incorporated into all aspects of running a business
No doubt, the main goal of an organization is to grow, but this growth is predicated on a set of assumptions that are easily dashed to the ground when security attacks happen and render their payload. Thus, in order to truly sustain growth in a digitized economy, security must be framed as a business problem that is tied to growth.
This leads to an important point for all executives and decision-makers to emphasize: there is no silver bullet for security nor is there “one answer.” Each organization must assess its own business risks and create a security strategy that is organically related to this nuanced risk profile. Some companies are far more exposed to the “digital world” than others. Some organizations optimize for “efficiency” not governance, feeling that the two are at odds. Some organizations choose to remain local and “closed” while others embrace global presence and have an open “architecture” for dissemination of information and access to systems.
Each of these configurations has benefits and is simultaneously fraught with threats. As such, each organization needs to think of security as a combination of unique business risks and dynamic-yet-proven mitigation processes and practices. This is the balance that all organizations must strive for.
At Akvelon, we think of security in precisely these holistic, business-centric terms. We know that our technical expertise is just part of the solution. With security, all organizations need a technical-adept business partner to help them navigate the complex obstacles that come about as the result of digital transformation.