Cybersecurity is now synonymous with information technology (IT). IT has become pervasive in our daily lives in everything from healthcare to banking. Not only is IT ubiquitous, the innovation it breeds is increasingly disruptive and for every new application, service or solution, information security is now a must-have.
Because society is networked to a degree beyond what many realize, the concept of “security by design” is mandatory from both a safety and trust perspective. It must also be implemented in a way that won’t sacrifice usability. Today’s digital strategy requires security to be integrated in a transparent manner so, at the minimum, it will reduce support hassles, making customers happier – a priceless benefit.
Two examples of this I often cite are the fingerprint-recognition system and the contactless payment function on today’s smartphones. They have made things faster, easier to use, more convenient, more secure, and, when it comes to mobile payments, there’s less small change to carry around. The underlying thing that made this possible was thoughtful cybersecurity.
The cybersecurity mindset
I’ve been working in information security for decades, and feel it’s important to share some of the critical aspects of effective security. In my opinion, cybersecurity should be integrated, automatic, efficient, cost effective and as transparent as possible. As I mentioned above, customers should not have to choose between security and usability. Unfortunately, unlike in most industries, liability for security has been placed excessively on the end user, and he or she is faced with the grim prospect of continually patching systems and changing passwords.
Cybersecurity should not be done for the sake of security itself. It’s also important to remember that cybersecurity is not just a technology problem. It has an important technological dimension, without doubt, but also involves processes and people. The goal of cybersecurity is to protect an organization and allow for a common operational, design and psychological framework for disparate business systems.
Most C-suites still see security as a technical, operational or preventative issue, and not a strategic or proactive one. This is a dangerous mistake. Cybersecurity is now fundamentally a business problem and a form of risk (not “cyber risk”), meaning it’s an issue for executives and corporate boards to address. Companies need to approach this risk as they would any other business uncertainty. Given the increasing interconnectedness of today’s business IT systems, the security of data is now the greatest threat to businesses. Understanding business motivation is the key to understanding this essence.
What qualities should cybersecurity professionals have? Over the years, I have seen this skillset evolve, but today they would need traits beyond technical skills and security expertise in vulnerabilities. They also need to know how attacks work in practice (not just in theory), and an understanding of state-of-the-art defenses and their limitations. Most importantly, they must have keen understanding of the business risk.
Ultimately, the cybersecurity mindset is the ability to communicate and bridge gaps between various stakeholders, such as technical experts, management and even regulators and governments, so that they understand why each is important from its perspective. This is a critical capability because so many stakeholders in the ecosystem are ignorant or neglectful of the needs of others, which is orthogonal to the ever-networked business models we are developing.
The business benefits
There’s a strong business argument to be made for cybersecurity. The business process improvements will obviously allow for faster recovery after an incident but also lower insurance premiums; enhanced financial ratings; lower legal liabilities; better customer loyalty; lower cost of adhering to regulations, policies and business agreements; disaster recovery; and lower total cost of ownership (TCO) through intelligently integrated technology.
Fundamentally, a secure digital strategy can help enable and increase profit in several ways: integrated, well thought out security can boost efficiency and productivity; it can enable new networked IT business models; it can foster a security mindset in an organization (including IT, human resources and physical security) for a unified, streamlined security workflow; and it can help differentiate an organization from competitors through a better security reputation and trust. The need to implement information security products and services should not be perceived as a “tax” for doing business in the IT age, but a potential differentiator, competitive advantage and a benefit to the consumer with a measurable ROI.
Information security also means more than just being compliant. It means developing a holistic program that continually assesses, documents and mitigates data loss. In doing so through proper security, teams end up developing overarching processes, policies and frameworks that foster a greater sense of community and cohesiveness within the entire organization.
As a technology and industry, data security must mature with the new realities of data, networks and the increasingly important role they play in business and our everyday lives. When it meets that standard, secure digital transformation will propel businesses to new heights of value.
Appropriately, former U.S. Federal Communications Chairman Tom Wheeler recently made an important point about cybersecurity that bears repeating. The title of his blog post for the Brookings Institution, which discusses the FCC’s role in dealing with online threats, says it all: “Cybersecurity is not something; it is everything.”