As organisations tackle the daily grind and challenges that exist in a world where the only constant is change, and the main influencing dynamic is speed I have seen repeatedly over the years the failure to have a principal foundation in place upon which to build, respond and strategise.
I continually have seen piecemeal approaches and strategy dependent upon budget and then only long enough to get through to the next reporting period. These are certainly not comments of criticism but rather observations. Organisations fund amazing enabling technological investments, but left nothing for its security, or a program of people engagement to maximize what it has to offer. Consequently a notion came to me many years ago that a logical starting point upon which to build is what I describe as the “Three Pillars of Excellence”.
I’d like to point out that this notion was so old, I coined the term well before it became “politically trendy”! I hypothesised that a modern digital organisation should build its digital heart upon the pillars of: Technology; Security; and Culture. These pillars should be invested in equally, not necessarily in terms of money but in terms of commitment.
Normally within the business environment, technology is seen as an "investment". Products that will provide a return on investment by delivering greater business outcomes, reductions in costs, efficiencies of time and effort, enhanced compliance etc.
By building a business case focused on these elements a CIO can argue strongly for the such funds because of the "return on investment". Together with the expectation of a business drive towards "digitisation" and the need for businesses to expand with cutting edge technologies, whilst I'm not saying getting funds for new technologies is easy, but it is easier than obtaining funds for security - in the absence of a compelling event or incident. Business understands the need for technology to be successful in the world of today and the world of tomorrow.
Naturally, there is the need to understand and correctly implement the right technology to ensure business alignment. Too often I hear of conversations where people want to advance by getting the same technology as a competitor, the latest shiny toy, without real evaluation of business strategy… the fear of falling behind.
With the technology pillar sown up let's turn our attention to what some perceive as the "distant poor cousin" - Security! Security has been driven on the back of fear, scare tactics and alarmist campaigns designed to highlight the necessity of the security proposition. Security too often has been the "after-thought" or the "add-on" with the minimal budget as it has struggled to prove its ability to offer a "return on investment", thus it's seen as a "liability", an "expense" where costs should be kept to a minimum. However, when the world collapses, systems are threatened, reputation is at risk, funds may flow freely.
Often security expenditure has been viewed as insurance against the malfeasance that exists in today's world. This means security has a "reactive" element to its design and strategy. I challenge this view and see that security should not only be positioned as proactive and intelligence-led strategy, but it also has the capacity to add value to business brand and provide a return on investment.
I feel that the evolution of technology, business requirement and the emerging influx of regulation and legislation we will see technologies continue to evolve with in-built security fundamentals. Just as today you can't buy a vehicle without seat belts and other safety standard devices, you won't be able to buy anything that does not meet a "cyber-secure fitted technology standard".
In my view this is as important as the air that we breathe. So often we seek the technical solution to the "technical" problem forgetting that it is the critical element of human behaviour that gives rise to the technical problem.
The success and pervasiveness of phishing and social engineering attacks has seen this attack methodology escalate both in terms of volume and sophistication. The simple ability of the criminal to evoke an emotional response either through the creation of anxiety of a threat to the elevated excitement of a life-changing opportunity. Yet, why should we be so surprised? Have we ever been trained, educated and properly guided to understand the nuances of a phishing email or methodologies of a social engineering attack? Generally speaking the answer to this question is "No".
Some studies promulgate that 91% of breaches occur via phishing attacks yet we continue to look for a technical solution because it's easier and it sells "product". By embracing our organisations with a continual improvement culture based upon cyber safety and giving them the skills they need to defend themselves and their families, I suggest you will significantly improve your security posture and vastly reduce your threat level. By building a "security aware" culture you can provide your workforce with the skills they so desperately need to take home to protect their loved ones, elevating your corporate security to their personal security.
In the world of BYOD and "work from home", we no longer control nor understand "who" is actually using and doing "what" on the devices that connect to our networks every day. By focussing upon and building an organisational culture that supports your technology and security strategy you not only get earlier adoption and consistent direction of your workforce, but by extending the reach of the program into the home of your people you will accelerate the cultural program and get more meaningful personal commitment because you're personalising the effort.
A successful business strategy in the modern world needs to have cognisance of these three pillars. Each need to be invested in equally, not in terms of dollars but in terms of organisational commitment, they are the foundation upon which success can be built. Their execution and operation is a whole new discussion but if these pillars form the foundation of future action, then in my humble view the path to success is commenced upon in the right direction.
Brian Hay is a CISO Advisor, cyber evangelist, public speaker and commentator.