The most common response from business executives when asked about Security is a deep sigh followed by a statement about both the impact of security breaches and the cost of recovering when they happen. They rightly worry about the effects of security “issues” on their organizations and customers, and about the increasing public (and legal) scrutiny that has been spurred by noted security breaches that make the news. Their worries are justified no doubt, but despite the enormous payload of security breaches, few think about Security in a dynamic and holistic way.
Most executives, irrespective of their intelligence and experience, think of Security as though it is an “episodic” issue that requires response plans and SWAT teams; few realize that Security and the very fact of Business are fundamentally intertwined; they cannot exist without each other. Few realize that modern business, characterized by digitization, is built fundamentally on the ongoing balance between efficiency, growth, and productivity on the one hand and security, compliance, and governance on the other. The key word here is ongoing- there is no perfect state, nor is there a defined set of threats that stays still in time and space.
Put simply: Security breaches are a fact of life and Security thus inheres in everything a business does.
Like Siamese twins, business and security are bound together inextricably- the choice before us is to determine whether they are amicable or constantly at loggerheads. It is high-time that every leader of every organization understand this and act on it. Living breach to breach is tantamount to sitting idle while waiting for what some senior experts refer to as “extinction level” events.
Interestingly, however, once this realization is made, Security can be thought of as any other core business issue. A plan is necessary as is a dynamic framework that fundamentally presupposes that attack vectors will change constantly, that the sophistication of the “bad guys” will continue to increase, and that the surface area of attack will grow as organizations grow and transform digitally. This framework must be holistic insofar as it must solve for Technology, People, and Process. The framework must “live” and evolve. Stasis is death. If there are “Moving threats” then you need “Moving Threat Defense,” as cybersecurity pundits will tell you.
As with all such fundamental issues in an organization, great internal resolve is needed to embark on the journey. Knowledge of the intricacies is of course necessary but most organizations have only very rudimentary controls in place, indicating that once the resolution is made to take Security Maturity seriously, quick work must be done to assess where the organization is, and where it needs to get, with time being of the essence. Attacks are increasingly frequent and increasing costly and come from both outside and inside the organization.
In this, technology is important but neutral. As security (defense) technologies get more innovative and powerful so do the attackers’ methods. Put in a slightly different language, it’s important that organizations invest in the latest and greatest software to protect themselves and allow for their businesses to run smoothly, but they also need to invest in ongoing services and processes that allow them to stay a “step ahead.”
All large transformations offer great opportunity and create new costs. Digital transformation is no different. The enormous benefits that come from digital business are well-documented and well-understood. The costs associated with it have to be not only understood but accepted.