Last year, CIO, CSO and PricewaterhouseCoopers released a new Global State of Information Security survey, which polled more than 10,000 executives from 127 countries about IT security. The results were a mixed bag, with security incidents up 38% over 2014 but corresponding budgets rising only 24%.
The survey reflected broad thinking about how companies are trying to defend themselves from hackers as well as employees, the most often cited sources of security compromises. But despite the continued growth in hacks and other security incidents, there were some important signs that security threats aren’t being taken seriously enough at the executive level. For one, the poll found that only 45% of boards participate in overall security strategy.
Brakes for your bullet train
This finding reflects common corporate psychology that cybersecurity is a cost center and a drain on resources – a Cisco survey of over 1,000 executives also found that 74% of respondents in the U.S. said that the main purpose of cybersecurity is to reduce risk instead of enable growth. I’ve found that people tend to think of cybersecurity as costly, complex, inefficient, and a damper on productivity. Many people believe it may not actually work or mitigate risk. This can result in security measures being implemented piecemeal without any overarching policy, resulting in costly but poor integration.
To make matters worse, by focusing on cost as a deciding factor for IT purchase decisions, companies will try to implement the bare minimum and, in some cases, also sacrifice usability and by extension, business productivity. Employees who aren’t confident in the tools and systems they are provided often turn to “shadow IT” – tools, many of which are cloud-based file sharing applications, that are not officially approved for use by the IT department.
This kind of mindset has engendered a defensive posture that’s not only inadequate when it comes to dealing with growing cyber threats like ransomware, but also short-changes the growth potential of business. Doing cybersecurity the right way is a must, and it has to be done at the highest levels of an organization because it affects the whole entity. But we can’t just think about it as a layer of protection. We have to think of cybersecurity as a plus, not a minus — a means of better using ICT to improve efficiency and productivity. This is true for companies as well as nations. To employ a Japanese example, the best way to think of cybersecurity is comparing it to the brakes on the famous Shinkansen bullet train. In 1964, they were heralded for their speed, but frankly anyone can make a fast train. It was the innovations in brakes that allowed the speed. The brakes aren’t there to act as a drag on the bullet train’s performance – they allow it to travel faster than conventional trains because they put the train drivers in control of its speed. To go really fast, you need really good brakes.
Our Recommended Books
What do companies need to do? A few simple things. Number one is to stop playing whack-a-mole with threats. Part of this may include a thorough review of existing security measures and considering whether that patchwork is really up to preventing the latest threats posed by ransomware actors and other cyber criminals.
Number two is to implement security measures intelligently and effectively in an integrated fashion through security by design using (at a minimum) intelligent, automated platforms. That means security is built in from scratch in everything from software running on your widget to how you’re protecting sensitive data that lives with the legal, HR and IR departments. A platform approach can reduce costs, increase efficiency, enhance system robustness, improves functionality and resilience while making things more secure. But more importantly, in our ICT-dependent society, it improves the ICT-based product or service, increases ease of use, reduces TCO for all and allows for new and differentiating functionality and features.
Think about what that means: cybersecurity can be a profit center. As seen in the example above, cybersecurity is no longer just an IT issue. It’s another form of risk that happens to cut across every organization. It’s also a board issue and a critical priority for management as well as shareholders. That’s an important point to make when it’s shareholder meeting season, as it is now here in Japan. Investors should be asking their companies what their cybersecurity policy is in terms of its defensive position, breach response protocols, resilience and governance and business continuity. They should also be asking how their company is using cybersecurity as an opportunity to enhance resilience, increase productivity and efficiency and what related products or services they are rolling out.
Like all sources of risk, cybersecurity must be incorporated and addressed at the leadership level. Cybersecurity is part of ICT and ICT is a competitiveness game changer. There’s no more time for excuses when it comes to building the best cybersecurity infrastructure for businesses and other groups.