At Cisco, we talk a lot about cybersecurity as a strategic advantage for organizations. We believe that a strong security program must be an inherent component of a digitization strategy. There are consequences for organizations that don’t have a plan for addressing this risk. As Ashley Arbuckle, Vice President of Cisco Security Services, said in his blog post last week, “Organizations that have any doubt about their cybersecurity capabilities delay important digital initiatives and risk falling behind the competition tomorrow.”
The intertwining of business strategy and cybersecurity strategy is resonating more and more with our customers, and not just those who focus on security as their primary job role. This summer, at Cisco Live US, over 100 IT executives attended an Executive Symposium, and a good percentage of them stayed an extra day to attend a workshop on how to build a plan to protect their digitization strategy.
Since this month is National Cyber Security Awareness month, I took the opportunity to catch up with the security experts who presented the workshop: Patty Wright and Gary Alterson from Cisco’s Security Advisory Services group. Here’s what they say are the 3 things you need to do now to protect your organization’s digitization strategy.
Patty Wright – Senior Director, Security Advisory Services
Gary Alterson – Practice Lead, Strategy, Risk and Compliance
Once an organization has acknowledged cybersecurity as a critical component of their digitization strategy, what should they do about it? They probably already have some security measures in place. So, maybe the better question is, what should they do differently?
Patty: We talk to customers all the time, and they do have anti-virus, firewall, intrusion prevention and other security technologies in place. But, if the company is seeking a digitization strategy, they are going to need to do more than the basics. A basic strategy tends to be very reactive: a security issues comes up, the IT department applies a product or technology to resolve that particular situation. That approach is inflexible: it solved a point-in-time problem, but a week later, a month later – something in that environment will change and the security band-aid won’t work any more. Maybe they added a new application to improve customer experience. Maybe they merged with another company and now they have a blended IT environment. The original solution to the point-in-time problem doesn’t work. So, the first thing organizations need to do is to move beyond the basics.
Gary: A lot of organizations believe they have the basics in place, and they may have at one point in time, but the basics are a moving target, evolving as threats and technology evolve. For example, given the pervasive use of cloud, cloud security architecture and supporting controls should be a fundamental security basic, and we have a long way to go as an industry on that.
In addition to ensuring they have the right technology, implemented the right way, for the right business reasons, they still need to think about the people and the process elements of their programs. Do they have the right skills in place? Are they interlocked on security strategy not just within IT and security functions, but across business functions as well? Are there operational processes in place for security? How will they measure success of their program?
Patty: Many organizations built their security programs 8 or 10 years ago. They haven’t fully considered how they will manage risk within their digital process or how they will adapt to changing industry requirements. Even their governance models for security are likely to be inadequate because they do not allow for the agility required for today’s environment.
So, the first thing organizations need to do is move beyond the basics. What’s the second thing they should do?
Gary: Even when they have the basics in place, many organizations find themselves stuck fighting the last battle. They aren’t able to look ahead and proactively build a flexible and embedded security architecture. This is important. If security is going to be a business enabler, the architecture needs to support constantly evolving business processes and technology without being onerous to users. One of the primary reasons you hear CISOs being resistant to change is because they don’t know how to achieve an architecture that can securely support rapid change.
Patty: That means they need to have an architecture that differentiates between different people, devices, applications, and data and applies different sets of controls. So, it starts with being able to establish identity and trust, then enforcing specific policies while applying appropriate isolation at the network, system or data level. It also includes achieving appropriate levels of visibility and resilience.
Gary: The benefits of moving to embedded security and a flexible architecture are numerous. For example, threat analytics will have much higher fidelity, time to detect and time to respond [to threats] will be reduced. Resilience to security threats will be enhanced and the longtime goal of protecting data according to its value can actually be achieved.
And the third thing they can do?
Gary: Organizations need to address risk specifically within their digitized business process. This requires mapping that process out, identifying the information risks within the process itself, as well as evaluating the underlying infrastructure, applications, and IT operations that support that process end to end.
Patty: This will allow organizations that are pursuing digitization strategies to benefit from a much stronger ability to manage risk as they move into new business models or offer innovative new experience for their customers.