Embedding cybersecurity into our enterprises remains a difficult problem to solve. Year after year, billions of dollars are spent on building checks and controls, but the rate of attacks and breaches has only accelerated. No one seems to be immune.
Sophisticated players like Chase and British Airways, even icons like Apple and Marriott have been victims of cyberattacks in recent years. Business-critical activities have been disrupted, customers’ data has been compromised, and the threats don’t seem anywhere close to ending.
It’s certainly not for want of budgets, focus or commitment. In fact, in a global survey of almost 1,000 executives from large enterprises across industries, a significant 83% said cybersecurity was critical to their organization and 66% had already implemented a comprehensive enterprise-wide strategy. And yet, our recent experience tells us this just may not be enough to prevent them from becoming the next target.
However, I believe we can carefully and continuously reexamine our approach to cybersecurity by keeping ESP in mind:
- E-secure by design
- Manage scale
- Protect from future threats
E-secure by design
Not-so-thoughtful software system design can be a source of many of the security weaknesses we often see after a breach. It helps to focus relentlessly on building systems, platforms and solutions that are based on secure by design principles thereby ensuring confidentiality, integrity, and availability to deliver “out of the box” secure experiences for users.
Our developers can be trained to embed security even as they architect, plan and code, employing defense-in-depth mechanisms to make sure they are building difficult-to-exploit systems. Reducing the attack surface requires embedding these security principles at the start of the journey, defining a foolproof roadmap and having necessary well-placed controls and standards.
For enterprises whose IT landscape is already well-defined and set, digital transformation offers a massive opportunity to rethink and reimagine the IT setup for more robust digital security. As we build new applications, prepare them to move to the cloud, take advantage of new design elements like microservices or APIs, the leeway to strengthen design security is immense.
The benefits of undertaking an exercise such as this outweighs the complexities. For example, several of our clients from the retail world talk to us about the delays and sometimes even failure to launch their e-commerce sites because of pitfalls in their legacy security architecture. This often entails huge business loss which could have been averted had the “secure by design” principle been implemented as part of their ongoing digital transformation initiatives.
The enterprise’s threat surface is growing at an astonishing rate. The ubiquity of IoT, sensing equipment, cloud-based implementations, and the deluge of smart phones have only aggravated the situation, making the scale on which e-security must be implemented is mind boggling.
And yet, enterprises are stuck with too many signature-based solutions and point solutions working in siloes. They are unable to change fast enough with the changing technology and infrastructure disruptions.
Alerts and notifications from siloed point solutions do not give a unified view of the security posture making it difficult for organizations to track vulnerabilities. More than half the respondents (51%) in the survey I referenced earlier echoed this view.
The need of the hour is for an integrated approach to security and a unified view of the security posture, leveraging predictive analytics and AI for automated response. Enterprises need to build integrated security capabilities around data security, vulnerability and threat management, compliance monitoring and risk assessment, identity-as-a-service and cloud security, enabling real time proactive defense and predictive cyber threat intelligence.
This will also bring with it the ability to profile risks, prioritize and manage threats to businesses and thus remediate with agility. As opposed to nurturing farms of point solutions, this is a great way for CISOs to walk the tightrope between managing budgets efficiently while investing more to thwart attacks.
I am a huge proponent of this integrated approach only because I have seen it work consistently. As recently as last quarter, our client, a leading logistics company in Australia with a complex IT landscape spread across 1200 locations, in more than 50 countries, leveraged the integrated approach for end-to-end security monitoring and management. They know this is critical for them to securely expand in scale and scope globally, while managing changes in the scale of their infrastructure and ensuring localization of data.
Protect from future threats
Attackers are getting better at causing mayhem, making it imperative that enterprises stay a step ahead of the game by continuously adopting newer technologies and keeping pace with changing times.
This means having access to advanced threat hunting capabilities, forensics, malware analysis and the latest in technology innovations incubated in the world’s best security R&D labs. However, a robust and comprehensive security infrastructure requires so much more than just technology – this means a combination of a strategic view, strong execution capability as well as technical and skill investments.
It requires functional experts with disparate skills – incident managers, forensics experts, operations specialists etc. In such a scenario, it often makes sense for the CISO to find the right partners who possess access to this cutting edge in technology and to these skill sets, rather than taking the long road of direct investment. Gathering expertise from all available sources, both internally and externally, to address capability gaps is a good approach.