Digitisation demands a new security mindset
Rapid advances in technology are significantly shifting the security landscape – thus, digitally transforming organisations must ensure their people, processes and technology are aligned.
There is little doubt that digital transformation brings with it a range of new opportunities, but at the same time it also brings volumes more data to manage. This creates a challenge, in that organisations, while attempting to manage such data, need to strike a balance between security and availability.
For example, explains Chris Volschenk, CEO at Nexio, new technologies in connectivity and virtual infrastructure are helping companies to innovate supply chains and digitise customer experiences. However, these bring with them a new a set of security challenges, in the form of an expanded attack surface.
“Essentially, this means a whole new mindset is required by the business, one which accepts that it will, at some point, be hacked. What is needed is to find the balance between the digital advantages offered by transformation and the demand for security, which is not always easy. What is required is to clearly understand how the business provides services to its customers, what customer information the business holds and what the consequences are of a breach. The larger these consequences, the more you will need to invest in security,” he says.
“Failure to do this will expose your company to risks including the potential to be attacked by ransomware – where criminals hold your data hostage – and even more crucially, can lead to an erosion of customer trust. Once this is lost, clients are unlikely to choose to do business with you any longer. Thus, it is vital to understand all your potential points of attack, encompassing not only the usual devices, but any machine – even the forgotten printer in your basement – that may have an Internet connection, or users connecting to your network.”
Volschenk indicates that there are three areas of focus when it comes to getting security right, starting with governance, which deals with the enterprise’s policies and procedures. Secondly, one requires the right toolsets to secure infrastructure and attack points and finally, one needs the operations team to execute exactly on what the chief information security officer (CISO) has advised. If any one of these legs is compromised, he adds, then the organisation as a whole will be compromised.
“One of the biggest difficulties created by digitisation is that technology is changing rapidly all the time, which means the old, licence-based security models are no longer effective. Security needs to now be nimble enough to change on a daily basis if required – it needs to be adaptable and agile. For example, when dealing with devices, communication with these is now critical, as it is no longer enough to simply monitor these, you need to actually be able to manage them from a central point. After all, seeing that you are being hacked is pointless if you are unable to do something about it immediately.”
“Your exposure should further be limited through effective backup and disaster recovery, alongside the various security solutions. On top of this, you will need to have strong business processes, such as information security incident response process and playbook, to govern exactly what should happen in the case of a breach.”
Such processes are crucial, continues Volschenk, adding that the company culture also plays a huge role in the success of security in the digital age. This is because the speed of technology change is so fast today that the organisation’s people have to be properly aligned to the company’s security strategy as well. And this culture, he points out, has to be driven from the C-suite down.
“In other words, security is no longer just the CISO’s problem, but rather it is an issue for everyone in the business, and it is thus important all employees understand this. Moreover, they need to be given the necessary training in order to understand not only how new security solutions – such as multi-factor authentication – work, but also why these are necessary. Ultimately, you want security to be viewed by employees as integral to who they are.
“Obviously, it is a fine line to walk between making something simple for your staff to utilise, thereby enabling beneficial operations like remote working, and making it as difficult as possible for criminals to abuse it. It is thus critical to have a CISO who understands this balance. The last thing you want is for your CISO to effectively become the chief prevention officer who adopts an old-school approach of simply saying no and blocking everything. You need a CISO who ensures that security becomes an efficiency tool, rather than a prevention one,” concludes Volschenk.