Cybersecurity ‘not a technology project’, says expert

With a rapidly evolving threat landscape, an increasingly distributed workforce and growing reliance on the cloud, cybersecurity teams are constantly dealing with mounting pressure to make strategic decisions to stay ahead of cybercriminals.

In an exclusive interview, ITP.net caught up with Shoaib Yousuf, Partner and Cybersecurity Expert at Boston Consulting Group (BCG), to explore the different trends impacting the cybersecurity space and how organisations can fill the gaps.

As enterprises ramp up their digitalisation initiatives, how should cybersecurity strategies evolve to ensure the success and resilience of such endeavours?

Cybersecurity should be an enabler of digital business initiatives rather than a blocker. The shift to remote and virtual work has been a boon to cyber-attackers. Massive data breaches continue, but it’s a mistake to think cybersecurity is purely a matter of technology and network security. Enterprises on a digitalisation journey need to adopt a “secure-by-design” mindset to ensure that cybersecurity risks do not derail the success of digitisation programmes.

A BCG study of 50 major data breaches found that only 23 percent were caused by inadequate security technology. In the vast majority of cases—77 percent—the breach was the result of an organisational failure, a process failure, or human error. As organisations increase their digital maturity with new initiatives, it’s important to note the new cyber risks introduced and plan for them accordingly – e.g. the industrial internet of things holds great promise to advance the capabilities of non-digital-native companies.

A recent industry study revealed that nearly 80 percent of senior IT and IT security leaders believe their organisations lack sufficient protection against cyber-attacks despite increased IT security investments. What do you think are the key factors behind this?

As digitisation’s role in companies’ operations continues to grow, vulnerability to data theft, leakage of intellectual property, denial-of-service attacks, and the like is growing apace. Many companies are significantly underprepared.

Increased levels of digitisation expands the potential attack surface for organisations, and the trend of major ransomware and supply chain attacks continues to proliferate across all industries and geographies. Additionally, some organisations are starting from a less mature starting point and this increased security investment may be just catching up to peers in their industry, while other organisations that are already more advanced recognise that hackers are constantly innovating and finding new ways to attack, so effective cyber defense requires counter-innovation and continuous carefully-planned investments.

Given the continuous cybersecurity workforce shortage – companies can’t hire their way out of this problem. But there is a solution: cybersecurity upskilling. According to BCG analysis, many functions—such as IT, risk, legal, HR, accounting, and operations—have the potential to learn critical cybersecurity skills.

Ransomware and supply chain attacks are among the biggest threats that made headlines last year. With businesses increasingly embracing hybrid environments what gaps should they be on the lookout for?

Businesses most at risk of an attack and its consequences are those in which information drives a large portion of value generation and the information passes through many interconnected systems. Companies with complex application and system landscapes are also at high risk, as are those that rely on complex or meshed networks or whose business is driven heavily by mobile transactions.

Effective security for a company’s information and the technology used to store and process it will address a number of critical elements, including confidentiality, integrity, availability, accountability, and the provenance of the information. Organisations should continue to do their diligence on the security posture of the different vendors in their supply chain and perform a risk assessment on potential threats introduced by their third parties.

IT security should be viewed as a necessary cost of doing business and as a component of the company’s overall IT risk-management programme. In relation to continued hybrid ways of working as introduced at the beginning of the COVID-19 pandemic, it’s important to continue to shore up the network perimeter as well as employee devices and endpoints, to ensure they are secure wherever they are working.

Which security threats should organisations be wary of in 2022? And, which technologies should they invest in to defend themselves against these threats?

While digital tools offer excellent support for remote workers, shifting work patterns on such a massive scale can have serious unanticipated implications for IT and cybersecurity. Ransomware and supply chain attacks continue to be a major issue, with several notable breaches of these variety already making headlines in 2022.

By implementing a number of practical training, process, and technology measures, companies can avoid a potential cyber crisis. In fact, the cybercrime explosion is fueling a cybersecurity spending boom. Companies are purchasing and deploying a plethora of security resources and tools to identify these threats, protect against them, and recover quickly with minimal damage—financial or reputational. Companies need to take a step back to better understand their control framework and organisational challenges in detail, and then consider which remediations will give them the best outcomes.

Going forward, Zero Trust will play a key role in moving forward by helping organisations continuously validate users and identities before allowing them access to key assets and shifting the classic trust model.

Weak collaboration between IT and security teams opens doors to cyber-attacks

What role can BCG play in helping enterprises to stay resilient and cyber secure?

Cybersecurity is not a technology project. It’s a business project with a strong tech component. Effective cybersecurity must consider people and organisation strategies; more than 70 percent of breaches are caused by non-technology related failures, so getting these organisational elements right is imperative. Companies that understand this don’t pursue wide-ranging—and often impossible to implement—cyber roadmaps. They focus on the risks and capabilities most relevant to their business strategy.

Cybersecurity must be table stakes for all organisations and we help to elevate cybersecurity to a front-of-mind topic for boards and C-suite. This perspective shapes our unique approach to cybersecurity. And it’s why a big part of our work is about enablement: building a foundation for continual improvement. So even when we step out of the picture, companies can keep their cybersecurity strategy and their business strategy aligned.

By looking at cybersecurity through a business lens, we help companies identify the risks they can and can’t accept. This lets us develop business-driven and risk-aligned capability roadmaps and helps us integrate cybersecurity with the overarching business strategy and help our clients ensure that their critical business initiatives are not derailed by security lapses. Companies then focus their efforts—and investments—where they matter most.

Comments are closed.