A 2021 vision for cyber security
We can choose to use our experiences from 2020 to secure our organisations and future, or miss another opportunity to contribute to building a safer digital world.
While no one knows what will happen this year, there are some lessons we can learn from 2020. Last year, we learnt about our employees’ ability to adapt by integrating work and home life while coping with many other challenges. We also learnt about our talented IT staff’s resourcefulness and the flexibility of technologies that made the critical transition to a remote workforce model possible.
Digital resilience ensured our organisations could operate successfully despite mounting challenges. But as many organisations increasingly rely on remote technologies, social media, cloud computing, the Internet of things, and other emerging technologies, they become more vulnerable.
Bad actors are taking advantage of the threat landscape brought about by an extended digital ecosystem and a broader attack surface that characterises many organisations. Thus another looming crisis is evolving rapidly today – cyber crime.
Today, many organisations are experiencing persistent attacks, incidents and breaches daily and even hourly.
Number of bad actors on the rise
A significant learning from 2020 is that cyber adversaries are no longer the lone wolf criminal or tech-savvy thief. Cyber adversaries can range from nation-states, organised crime groups, competitors, partners, customers and suppliers.
No organisation is immune from any of these parties’ malicious and illegal conduct. State-sponsored threats are no longer dominated by cyber superpowers such as the US, UK, Russia, China, Israel, Iran and North Korea.
Developing nations such as the DRC, UAE and Zimbabwe, with only modest spending, can acquire the technical capabilities in a sophisticated black market either on the Dark Web or openly and carry out state-sponsored breaches.
Even the knowledge and tools required to become a hacker are now accessible to many, but this is no longer a requirement. For example, threats from internal adversaries such as the disgruntled staff member, who has no cyber hacking skills but does have authorised access to download confidential files, persist. Such an employee can easily access and steal trade secrets from the company.
In any event, many breaches are not discovered and do not make the headlines. Some breaches are not disclosed by companies and their lack of disclosure leaves customers and supply chain partners exposed.
Skilled cyber security professionals remain scarce
Cyber crime is a threat to our national and economic security. While governments are responsible for national defence, government agencies worldwide have a poor track record of protecting themselves.
It is challenging for government agencies to hire and retain top talent in most fields. Increases in the demand and compensation for experienced IT workers generally place a significant drain on the government purse.
A significant learning from 2020 is that cyber adversaries are no longer the lone wolf criminal or tech-savvy thief.
The problem is worse for cyber security jobs given the limited pool of skilled information security workers. According to the Global Information Security Workforce Study, the cyber security workforce gap will rise by 1.8 million by 2022.
The cyber security workforce needs to grow by 145% to meet the global demand for skilled cyber security talent.
Besides, there are notable differences in education, experience and professional responsibilities in cyber security jobs. Some skills are shared across cyber security jobs, while other highly-specialised skills force many companies to rely on third-party providers.
The high number of unfilled cyber security jobs globally also presents a significant challenge for companies in the private sector.
One possible recruitment strategy is to employ individuals with knowledge and skills valuable in cyber security. For example, one could consider a person with forensic science and IT experience or process engineering and regulatory compliance experience.
Another recruitment strategy is to focus internally and repurpose talented and willing employees who have a deep understanding of the business environment, people, processes and systems to advance into cyber security careers.
However, cyber security professionals with the requisite technical expertise will not guarantee the entire company’s protection. After all, tech-savvy companies like Facebook, Google and Sony have been victims of high-profile cyber attacks.
Cyber security is about protecting the business
One of the common problems in building digital resilience is senior business leaders who expect cyber security experts to make decisions that should align with business goals.
Another related issue is IT leaders who struggle to convey cyber risks in business terms to get business leaders to buy-in and get involved in digital resilience efforts. Building digital resilience requires a company-wide effort.
In his book “Digital Resilience”, Ray Rothrock, a pioneer and thought leader in cyber security, explains how leaders can set about creating a culture that will thrive despite persistent cyber assaults.
Even employees who believe cyber security is not part of their job description will need to be encouraged to practice good cyber hygiene. Across the supply chain and company-wide, board members, executives, managers, employees and partners need to proactively deal with cyber crime not merely as a technology risk but as a serious business risk.
Cyber crime poses a threat to the company’s shareholders, strategic direction, financial performance, regulatory compliance obligations, core operational performance and reputation.
Cyber security is about being business-savvy
CEOs whose companies fall victim to high-profile cyber attacks need to realise that neither the regulators, shareholders, media, business partners or their customers will hold the cyber security management and staff accountable.
It will not be the chief information security officer, the chief information officer or cyber security vendors who will need to account. And CEOs will not get away with blaming their cyber security standards and regulations, the anti-malware software technologies, anti-virus products, those unpatched legacy systems, or a faulty firewall.
Like most safeguards, while organisations have to comply with multiple cyber security standards and regulations, these do not guarantee protection. International cyber security experts, Thomas J.Parenty and Jack J Domet, in their book “A Leader’s Guide to Cyber Security”, agree that one of the significant limitations of cyber security standards is that they are designed for the generic organisation.
They also argue that standards can make cyber security sound more complicated than it needs to be. Organisations need to understand their fundamental cyber security requirements and adapt the cyber security standards and regulations to address their policies and measures to fit their business.
A CEO’s business expertise plays a pivotal role in determining the most appropriate protections. CEOs need to become familiar with their threat landscape and understand the cyber threats that make their organisations vulnerable.
Phil Zongo, an experienced cyber security expert and author of “The Five Anchors of Cyber Resilience”, recommends that leaders focus on protecting their most highly valued digital assets − what he refers to as the ‘crown jewels’ of the organisation.
The application of enduring business principles such as determining the appropriate organisation priorities, resource allocation, risk appetite and investment decisions is arguably the best protection we have against the most dangerous cyber threat actors.
Building digitally-resilient organisational culture
One does not require a crystal ball to predict what is to come (experts issued early warnings about the imminent risk of a global pandemic).
Cyber security threats will continue to evolve rapidly, and cyber attacks will expose many more organisations in 2021, causing massive financial and reputational damage.
We can choose to use our experiences from 2020 to secure our organisations and our future better, or miss another opportunity to contribute towards building a safer digital world.
There is no time for apathy, ill-preparedness, or the blame game. We have to reverse this trend of rapidly-growing cyber security threats, by working in solidarity to defend our organisations, so that we may all dwell in a safer digital world.
The ability of everyone to adapt into the role of digital stewards securing and enabling our organisations to thrive in the face of evolving and persistent cyber attacks – that is, building a digitally-resilient organisational culture − will be one of our major responsibilities in 2021 and beyond.
Associate professor, School of IT, Department of Informatics, University of Pretoria.
Rennie Naidoo is an associate professor at the School of IT, Department of Informatics, University of Pretoria. He has served a number of clients on a number of IT projects in both the public and private sectors over a 20-year period. Naidoo is also a NRF-rated researcher. His research interests are broadly about information systems and organisations with a particular focus on IT value, IT human resources development and end-user issues. He has published articles in leading international outlets such as the Journal of Strategic Information Systems, European Journal of Information Systems, Information Technology & People, and the Information Society Journal.
Rennie Naidoo is an associate professor at the School of IT, Department of Informatics, University of Pretoria. He has served a number of clients on a number of IT projects in both the public and private sectors over a 20-year period.
Naidoo is also a NRF-rated researcher. His research interests are broadly about information systems and organisations with a particular focus on IT value, IT human resources development and end-user issues. He has published articles in leading international outlets such as the Journal of Strategic Information Systems, European Journal of Information Systems, Information Technology & People, and the Information Society Journal.He lectures topics on IT investment and enterprise systems to postgraduates at the university. He is passionate about giving to those who work in the IT field greater insights about business and finance. He runs a course on finance for IT professionals through CE@UP.