Amid a perfect storm of business change and evolving security risk, Kate O’Flaherty explores why the security function must successfully align itself with the various facets of the wider business.
There is an age-old conflict between cybersecurity and the rest of the business. In a digitally-driven era where data directly corresponds to revenue, security is often seen as a barrier to day-to-day business operations.
However, the need for information security to work harmoniously with the rest of the business has never been more urgent. The current cybersecurity landscape is becoming more difficult to manage as the COVID-19 pandemic pushes firms to their limit. Employees are now working from home, using potentially risky technology such as video conferencing across their own home networks and devices.
It’s therefore no surprise that cyber-attacks are increasing. The recent National Cyber Security Centre (NCSC) annual review showed a record number of cybersecurity incidents over the last year, with more than a quarter related to the pandemic.
As part of this, the insider threat is more relevant than ever as employees fall for phishing emails that can allow malware such as ransomware to ravage systems. At the same time, firms are increasingly aware of their digital supply chain. The phrase ‘you are only as strong as your weakest link’ has become a security cliché, but it is true in most cases.
Amid this perfect storm of complexity, modern information security needs to act as a business enabler, rather than a barrier to a company’s aims. This requires the security function to understand the specific needs and goals of the business while ensuring effective and holistic data security. So, how can cybersecurity most effectively align with the wider business?
Business Challenges
It is first important to understand and acknowledge business risks. The pandemic has resulted in societal confusion and uncertainty as well as new ways of working in a distributed environment with new technology, says Joshua Burch, senior managing director and EMEA head of cybersecurity at FTI Consulting. On a human level, he says, potential victims are more psychologically susceptible to attack – and opportunities for cyber-criminals are growing.
It is a challenge that should be met head-on, but cybersecurity leaders are often held back by the way their business views the area. “Information security is often seen as a barrier to progress, or a hurdle to be overcome to achieve an outcome,” says Gemma Moore, founder and director of information security consultancy Cyberis.
This, of course, can encourage employees to try and find ways of getting around security controls to get their job done. “When security is a blocker, people find ways to bypass controls that are there to protect them and the data you are handling,” Moore adds.
However, this is something that has to be accepted, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University. He says it creates the need for security-by-design from the outset. “Security always comes at the expense of convenience. It’s where we are and it’s going to remain that way.”
Yet, one of the main issues associated with cybersecurity and its implementation within the wider business is that it is often an afterthought, says Kris Lovejoy, global consulting cybersecurity leader at EY. At the same time, she says, there is a disconnect between cybersecurity teams and adjacent functions within the business. “When cybersecurity is implemented as a ‘crisis need’ or a ‘problem solver,’ the result is a patchwork infrastructure which causes unnecessary complexities and increased spend.”
Much of the problem involves convincing the business of the need for investment in security and security-by-design. One of the greatest challenges, according to Ben Carr, CISO at Qualys, is how security leaders translate technical data into business risk information.
“Finance teams are well-versed in understanding the cost and risk around new product development or entering a new market. If you can put your security analysis into those same terms that the business can understand, your executive and board stakeholders should be able to respond effectively.”
Carr says CISOs need to provide updates on how business risk changes over time based on how circumstances evolve and new security risks emerge. “This can also provide an opportunity to show how the organization’s security approach reduces risk levels in the longer term.”
“Information security is often seen as a barrier to progress, or a hurdle to be overcome to achieve an outcome"
Amanda Finch, CEO, Chartered Institute of Information Security, agrees. She says that how security leaders understand the risks and communicate them is key. “In order to align with the business, the security team needs to understand and communicate business risk, including levels of risk, what risks are and aren’t acceptable, and how best to mitigate them.”
For instance, Finch says, the security team might perfectly understand the technological challenges and threats involved in embracing a 100% remote workforce, but to fulfil its strategic role, it also needs to understand how this will affect risk.
This includes duty of care for employees, obligations to partners, customers and shareholders and regulatory obligations. “Security needs to be able to show the organization the most low-risk way of achieving its goals, and what steps need to be taken,” Finch says.
What’s more, security teams need to ensure they are using clear, non-technical language at all levels of the business to describe risk.
For example, senior executives might not understand the consequences of breaching a specific ISO regulation, says Finch. “However, they will understand the impact of fines or halting production. Similarly, home working employees will be more receptive if they understand the risks to them, or even their families.”
It is also important to remember that there is a balance to be struck between risk and opportunity, Moore points out. As part of this, she says: “It’s important to understand as a business what types of risk you are willing and able to tolerate, and what that means in terms of the opportunities you can seek out.
“There is no such thing as being completely, 100% risk free: any business that locked itself and its employees down to that level would be unable to achieve anything.”
Meanwhile, Finch says the security team needs to take on a more educational and collaborative role. This includes coaching employees to reduce, recognize and react to threats, and staging mock attacks.
Executing this properly demands more than just technical skills – security teams also need the ‘soft skills’ necessary to teach, manage and communicate with their co-workers at all levels, Finch points out. “Recognizing these skills, training the right people or hiring them in, is an essential part of security best practice.”
"Security needs to be able to show the organization the most low-risk way of achieving its goals"
Structure in Cybersecurity
Like other business disciplines, cybersecurity needs to have structure, says Mark Raeburn, managing director at Context, part of Accenture Security. As part of this, he says: “Information security needs to demonstrate its alignment with the organization’s overall objectives and accept that, like any other business element, trade-offs will need to be made.”
Business leaders also need to change and grasp the importance of embedding security into their long-term strategies, says Raeburn. “This means, when engaging with the board, security professionals need to move from a siege mentality and learn to speak the language of the business to focus on solving priority business problems, while showing how good security enables growth.
“This is more important than ever today as more employees work from home, which makes companies more dependent on technology.”
Also, it is not always a matter of the more freedom you give your employees to innovate, the less secure you will become. “This is something I often hear in relation to very agile environments in fast-paced innovative industries,” Moore says. “People will resist the implementation of security because they perceive it as something that will slow down development, stifle releases and generally cause a lot of pain.
“On the other hand, there are hugely innovative fast-paced companies that, from the start, integrated security into their DevOps pipeline. They also embraced automation, integrated security testing and code audit at multiple stages and effectively made it really easy for their developers to roll out new products in a way that was secure, seamless and importantly, painless for staff.”
Taking this into account, making security a business enabler is really key, says Burch. He advises companies to first focus on understanding risk. “What are your crown jewels – and the network, systems, data and relationships that are critical to their delivery? We emphasize to clients that if they don’t know, they are focusing cybersecurity resources in the wrong place.”
It might seem obvious, but the priority needs to be getting the basics right, Burch says. “Often, people aren’t patching and putting the right policies and procedures in place. If those aren’t right, firms will suffer.”
"When engaging with the board, security professionals need to move from a siege mentality and learn to speak the language of the business"
As part of this, firms should implement the latest updates to operating systems and apps, restrict the access rights of staff connecting to the corporate network and enforce the use of strong passwords for corporate resources, says David Emm, principal security researcher at Kaspersky.
At the same time, Emm says, businesses should provide a VPN for staff to connect securely to the network, backup data regularly and ensure staff are aware of the methods used by attackers to gain access to corporate resources.
Overarching this, Burch adds: “As well as building in cybersecurity at the outset of product development and design in terms of technology, also embed it in your processes and policies to save you dealing with problems down the line.”
With this in mind, Moore points out the importance of creating a security mindset and culture within the business, educating employees and information security teams and examining the way you market and sell yourself to internal stakeholders. “In the most successful relationships, people do not come to the information security department and ask ‘can I do X?’ Instead, they say, ‘I am going to do X. How can I do X securely?’ Security has to help the rest of the business solve its problems, not stop it from operating.”