In the early weeks of 2020, the Cybersecurity and Infrastructure Security Agency (CISA) published its first official guidance – a warning to US-based organizations to assess the ramifications and potential threat of a cyber-attack on their businesses following heightened tensions with the Iranian government. The advisory raised concerns about geopolitical tensions, the possibility of destructive cyber operations, cyber-enabled espionage and disinformation campaigns. CISA’s warning served as a stark reminder of the outsider threats that could impact an organization for purely geopolitical reasons. Without proper cybersecurity programs in place, all organizations are exposed.
A few months later, the COVID-19 pandemic quickly overshadowed CISA’s warning. As the virus gained speed in the US, cybersecurity teams quickly shifted their focus from geopolitical concerns to a global health crisis, needing to make adjustments on a dime. This included moving essential applications to the cloud for easy access by now remote workers and establishing stronger security controls to accommodate this dynamic.
Both events highlight the increasing cybersecurity risks in today’s highly digitized, interconnected world. Organizations need to have the operational agility to react to problems as they arise because they have fortified the security of their users, systems and data in advance of the unforeseen. This must be the basis of all modern cybersecurity programs. It starts with cyber-professionals having a seat at the executive table.
Moving From Defense to Strategy
Organizations’ business practices are often not aligned with their cybersecurity strategies. Senior executives typically make strategic business decisions around revenue and profit attainment without considering the ramifications these approaches might have on their exposure to cyber risks. These business decisions are often made in silos without seeking cybersecurity expert counsel and ultimately throwing those responsible for warding off cyber-threats into a defensive position.
According to Verizon’s 2019 Insider Threat Report, careless workers, disgruntled employees and growing third-party workforces make up three of the top five insider threats an organization faces. These risk factors are an inextricable part of all businesses. Yet, security professionals are too often put in a position where they are reacting to decisions not only after they have been made but often after they have been implemented. Having greater visibility and input into this decision-making process from the onset allows cybersecurity leaders to collaborate with different departments across the organization and ensure business initiatives are in concert with cybersecurity programs. This will place organizations in a better position to ward off cyber-criminals.
Achieving Operational Agility Within Organizations
Organizations have long followed business continuity management practices to ensure that in the event of natural disasters, financial crises or other business-altering events, they have the right processes in place to continue delivering their products or services with minimal disturbance. While it’s good to have these plans in place for certain “predictable” disruptions, 2020 has shown that some events can’t be predicted, either in nature or scope. Whether it be a geopolitical concern, a global health crisis or an unprecedented cyber-attack, these events won’t always have a playbook to follow but simply require businesses to react quickly and in real-time. Evolving from the traditional business continuity mindset to an agile mindset is necessary to combat the many challenges businesses face today.
Allowing cybersecurity teams to create more robust ecosystems that support operational agility within their organization is vital. They need the support and resources to create less rigid, more flexible and responsive cyber frameworks. Having a seat at the executive table where these important business decisions are being made can push these measures forward.
Shifting Cultural Mindsets From Profits to Protection
Pushing cybersecurity to the top of the C-suite’s agenda, bestows a new cultural mindset from the top down that puts protection over profits. Or at least it makes them equal.
All organizations are willing to accept some risk in their go-to-market strategies: “No risk, no reward.” Whether an organization can measure and understand the level of risk, including the exposure to cyber-risk, is the question. When cyber-professionals have more visibility into business strategy and more influence, they can help organizations understand their true risk exposure and shift those mindsets. Unfortunately, the more common reality for businesses is to wait until they’re caught red-handed in the middle of a cyber-attack before realizing an investment in stronger collaboration with their cybersecurity professionals is worth it.
In a year that saw a 40% increase in weekly cyber-attacks compared to 2020, being negligent in the face of a data breach is no longer a viable excuse. The government can, and is, trying to help this situation with guidelines of their own. Still, as the custodians of sensitive data, other companies’ data and importantly, people’s personal information, the onus should fall squarely on organizations themselves.
A Modern Infrastructure Needs a Modern Cybersecurity Strategy
The digital transformation of the next 10 years will be unlike anything we’ve seen in the last 20. Digital technology will permeate every aspect of our lives, and increased usage of bots, RPA and Internet of Things (IoT) devices will have an incredible impact on business everywhere. To achieve operational agility, organizations need to align their cyber programs with their current technology infrastructures and move away from outdated cybersecurity programs, technologies and, most importantly, mindsets that many are still using.
As businesses become more digitized and interconnected, we can expect to see more cyber-attacks. To reduce overall cyber-risk, cyber-professionals once and for all need to be an inextricable part of top-level discussions where they can proactively provide insight on how to align business needs and cybersecurity protections to create a strong and modern cybersecurity posture.