Jack O'Sullivan
November 24 2020
It appears that lots of people believe in cybersecurity, judging by the headlines we see:
(Some slight paraphrasing here; but we bet you’ve seen similar posts.)
According to a recent ISACA survey, the majority of business leaders believe in security too. The ISACA analysis shows us that 55% of company directors and executives believe they’re doing everything they can to safeguard their digital assets.
If we dig deeper into the ISACA data, however, we start to chip away at this perceived security self-belief.
So why doesn’t perception (“we’re doing everything we can”) represent reality (“we flout all the basic security practices”).
If there’s such a pervasive argument – that security awareness and policy must trickle from the top down - why do so many companies struggle with security?
Fundamentally, security isn’t your business. You sell widgets, you create web apps, you build connected devices - or something else that isn’t security. Your business is getting your product into customers’ hands. The pressure to hit milestones weighs heavier than anything else.
Therefore what matters – what you truly believe in – is Time-To-Market. Of course you’re aware that security is an important component, but it’s not a priority. And though you’d never say it out loud, it's cheaper and easier to put out insecure software or apps. Basically, security is a nuisance.
Also, people are generally risk takers. You’ve never been hacked or compromised before. You’re flying by the seat of your pants to get your product out on time. So you’re happy to do what you did last time, with a few tweaks maybe, and go again. If you were secure before, you’re secure now. Right?
Other factors weigh heavy too – for example you might not have the relevant skills in house. And if you decide to work with a cybersecurity supplier, how do you find the right one, with the skills and pedigree that your business needs? Quantifying and qualifying security people can be daunting.
This is when those headlines listed at the top of this blog offer a ray of hope to anyone responsible for ensuring their apps and systems aren’t breached. You’ll notice that these articles are usually written by someone wanting you to use their security product - one that solves all your problems. But even the best product in the world can’t do this.
Without using the words ‘snake oil’ (oops) how can there be one product for every company’s risk profile? How can one product understand the subtleties and nuances of your business? How can any product truly help you negotiate that ever-changing landscape of cybersecurity you hear about?
Of course technology has its place, and it’s extremely important, but it’s not the answer on its own. It’s only when technology is combined with people and process that we start to get somewhere. People and process are critical - and by people and process we mean those within your company. Because when all three are combined you can create a secure community culture, one that is embedded into everyday working practices.
Technology + people + process = the holy trinity.
Without truly believing in such a holy trinity, security often becomes a box ticking exercise. Pentest reports are created but not acted upon. Money is splurged, but no one learns.
It might sound a bit doomsday scenario, but it’s something we see time and again. We wonder why a company invests in having a pentest report created if there’s no way, or no one, to act on it.
Believing you’re covered because you’ve ticked off a pentest, for example, only endangers you, your staff and your suppliers.
Here’s a short list of commandments for directors and leaders, or indeed anyone responsible for online security within your business.
It may sound daunting, but with the right tools, training and support in place, you’ll have peace of mind that you’re genuinely doing all you can to prevent a breach or attack.
Good cybersecurity means human readiness, strong security measures and solid technological defences.
Good cybersecurity means believing in cybersecurity. Help spread the word by circulating this article to whomever may benefit most.
We believe that the security of your critical networks and data is key to your organisation’s success. Whatever your sector, whatever your size, our mission is to help you to seize the competitive advantages of providing your clients with security, compliance, and reliability.
For more information, contact a member of our dedicated team.