If there has been a benefit to the overall cybersecurity landscape, it’s that the awareness the average business has on the subject has increased. With more breaches and vulnerabilities now being covered by the news and elsewhere, companies are now aware of the repercussions should they fail to protect themselves adequately.
That said, it doesn’t mean that these companies are awash with knowledge on how to achieve this. For Sean Rooney, cyber risk and assurance director at Integrity360, there is still a large gap in this area. This isn’t good considering that security now needs to be at the forefront of business decisions.
“[We’re] now at a point where security has to be thought of first,” he said. “It has to be part of the culture of the business. We’re not there yet, we’re at a point where an organisation for the board is taking an active interest in cyber risk and technology risk and asking questions.
“Not all boards, mind you, but this conversation is still very much driven in some organisations by IT to help understand the risks. [The problem] may be not being able to communicate that fully in a business language to the board so they can understand the severity of it.”
For Rooney, security is a strategic business decision, something that’s interwoven into the culture and how organisations run day-to-day operations. Getting to this point will be a significant challenge, but he believes that this is something companies can do. In some cases, it’s questioning why certain mantras and approaches can be the way forward.
“It’s a challenge, but it’s something that we can do,” he said. “We need to move away from just this singular focus on technology. For years, we’ve talked about people, process and technology, but what does that mean?
“In reality, it’s about human behaviour. It’s about how people do things, how people react, how people work on a day-to-day basis. That’s what we do, talking to people about the capabilities they have.
“Are we there yet? I don’t think so. In terms of the processes . . . it’s all the layers of controls on how we do things written down so people understand what the policy of the organisation is, what the standard they have to follow is and what the process when they’re doing something is, so that becomes second nature to them.”
The holy grail for cybersecurity is for it to be in the subconscious of every person – everyone from entry-level to the boardroom is aware of good practices and will take the necessary measures to stay protected. Getting safely to this point very much requires a shift in mindset, something easier said than done.
“There’s a big mindset shift [required] and that’s one of the biggest challenges organisations have,” Rooney said. “Shifting that mindset towards a security-first approach and culture . . . It will be difficult because mindsets are difficult to change; you have to change the beliefs and values of the organisation. It’s doable, you just need to focus on it. Very often these are the areas that don’t get the focus. Organisations might have the values [written down and say] these are our values, but are they real?
“Is ‘security first’ a value that you can live and demonstrate really? That’s the challenge I think we have for the years ahead.”
The other challenge behind this is to balance the risks with the functionality of the business. You can’t have a situation where you shut most things down, as that would prevent employees from getting their work done. Instead, you need to understand what and where the risks are, and which ones you’re willing to take. Security needs to be seen, not as something that prevents people from being productive, but enables them to do their work securely.
“People need to be able to do their jobs, they need to be able to do them fast and efficiently, and with agility,” said Rooney. “[Security is] about understanding what’s happening, seeing it and not blocking things, but allowing things to happen. If something goes wrong, catch it or something gets in, catch it because if you think about it, we in security, we’re always one step behind, or maybe a leapfrog scenario.
“We’re never going to surpass what the attackers are doing; they will always find new ways to get past our defences so we just have to be ready to get them in and be able to respond, react quickly, to make sure that they can’t do any damage, and that we can keep them out the next time.”
Giving a clear, definable purpose behind each major security action or measure will go a long way towards helping your cause. If your employees understand why a measure has been taken and it adds value to what they’re already doing, behavioural changes should follow.
“When people know why it’s important to them, very often they’ll follow suit,” Rooney said. “They’ll understand that this is the way things are done. This is done for a reason. Let’s follow it, you know.”
The ultimate goal is for everyone to have a good understanding of security and what’s required of both them and the organisation they work for. For too long, it was neglected as it was seen as IT’s responsibility, but Rooney says that people can be the strongest link in security, if they’re treated the right way. Sometimes that means asking the basic questions and building up a new picture of how the business works. By taking a security-first mindset, you can look at how security fits into the company and how you can build it into the culture and enhance it.
“We’re at a point now where security has to be built into the culture of the organisation,” said Rooney. “It can’t be an afterthought any more, it can’t just be functional, it has to be built into every project that we do.
“We have to think about it from from the outset, from when we’re thinking about launching new services . . . take a systematic framework approach, cover all the bases and make sure it’s a process that’s built into the organisation.”