By: Kevin Delaney, Contributor, Connected Futures
We are battling a war on cybercrime. And it’s a global, agile and seemingly invisible, fight.
In the digital age, one ill-timed security breach can erase decades of brand equity in a flash of bad publicity. Being increasingly connected, digital, and mobile creates more opportunities for organizations. But it also means more opportunities for malicious actors.
This means that regardless of the type of the attack or where it comes from, security is top of mind for every organization.
It’s a bleak picture, right? Well that depends on how you look at it.
What if organizations could step beyond their defensive crouch? What if security strategies, instead of being piecemeal and reactive, became pervasive, and integrated? And what if we could, turn security into a strategic growth enabler and a competitive advantage?
The good news? That opportunity exists.
Security can be a true differentiator that supports agility, innovation, and even growth.
And to achieve those benefits you need to build a holistic security posture that starts with cultural change to your organization as the foundation for overall digital business transformation.
Such transformation is no longer a luxury. It is critical. In a climate of near-constant innovation and disruption, every company — no matter how traditional or esteemed its roots — must think of itself as a technology company.
That means that even large incumbents need to be as agile as most digitized startups, ready to respond to ever-changing opportunities — and rapidly evolving threats.
In a hyper-dynamic marketplace, fortune favors the bold.
However, the kind of bold risks and experimentation that propel a company forward can only be undertaken with the confidence that they will not lead to headline news — and a sudden drop in customer confidence and trust.
“There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked” says Cisco Executive Chairman John Chambers.
How an organization responds to that reality will go a long way to determining its future growth and competitiveness.
On the Frontlines: Cyberwar Is Hell
In recent years, highly publicized security breaches have become the stuff of bad dreams for business and public-sector leaders alike. Nefarious players ranging from hacking organizations like Anonymous and Lizard to sanctioned governments such as North Korea have upped the ante in global hacking.
The average cost of a data breach for companies in 2014 was $5.4 million, up from 4.5 million in 2013. This can include lost intellectual property, compromised customer information/confidence, cost of initial loss (e.g. lawsuits, legal fees, customer reimbursement/ credit monitoring), lost revenue and earnings, and impact on stock valuation.
In the meantime, customer concerns are rising around the world:
- In a survey of German consumers, 61% were concerned that mobile shopping was not sufficiently secure.
- In a Worldpay Research survey this year, 26% of Mexican shoppers said they had dropped a planned purchase due to security concerns; in Brazil, the total was 22%, and in India and France 21%.
- A Retail Perceptions report on customer loyalty after an attack found that 23 percent would not feel comfortable shopping at a retailer for at least three to six months after a breach; of those returning, 79%would prefer to pay with cash over credit or debit.
As connections become ever more ubiquitous, cyber attacks are moving far beyond the obvious targets of retail companies, financial services, and healthcare organizations.
Cars, for example, once seemed unlikely targets, but many have become so laden with software, sensors, and apps that it was only a matter of time before they landed in the cybercriminals’ crosshairs. This year a Chrysler Jeep Cherokee hacking resulted in the recall of 1.4 million vehicles. BMW, Tesla, and GM are among other car manufacturers that have been compromised.
The bold, risk-taking innovations that lead to such novel products in the first place could be undermined by a lack of customer confidence.
As network connectivity expands for everything from refrigerators and shoes to jet engines and medical devices, the future of innovation will need to be closely tied to security solutions.
“There are a lot of technologies out there that are helping a consumer check out. But I think the question is going to lie in the security of that transaction and if the consumer’s data is actually being protected,” says Michael Olmstead, director of Plug and Play Retail, a Sunnyvale, Calif.-based startup.
Fight Them on the Network, Fight Them in the Cloud, Fight Them at the End Points
If organizations fail to think strategically about security, executive nightmares will only mount.
And if security wasn’t complex enough, many organizations are their own worst enemies.
Enterprises continue to use too many security solutions to address a specific security issue. That approach actually ends up creating more gaps in?threat defenses. These solutions can’t – and don’t – integrate well with other security solutions which then adds to the complexity organizations already face.
Combine that with a cybersecurity talent shortage. You end up with an under resourced, and unskilled mess.
In short, an organization is only as strong as its weakest point.
In today’s dynamic threat environment, simply throwing up a firewall and responding to threats as they arise is no longer a viable strategy. Nor is adhering to dated concepts of a security perimeter.
In the Digital Era, that perimeter extends out to the farthest edges of the network, as connections become mobile and ubiquitous; it transcends the organization itself, as the extended ecosystem and value chain become increasingly expansive and essential. This demands a new way of looking at security.
The answer? Security must be as pervasive as the devices and services you’re trying to protect. You need an integrated threat defense architecture that combines visibility, control, intelligence and context.
Security leaders need to start interoperating defenses more efficiently in a way that is more automated.
Moreover, security solutions must be effective not just anywhere, but anytime. To counter advanced threats, organizations must have deep visibility into the network before, during, and after an attack.
Today, 54% of breaches aren’t discovered until months after the incident – the industry standard is 100 to 200 days before an attack is detected – and, even once discovered, many organizations lack the security talent to remedy the situation.
With real-time visibility into the network, organizations respond quickly to block threats as they do happen, prevent threats from inflicting damage, and even quickly remediate them.
Call in the Heavy Artillery: the CEO and the Board
Pervasive security goes beyond algorithms and architectures.
It demands a significant cultural change throughout the organization that calls for decisive, top-down leadership, including the CEO, the C-suite, and the board of directors (BoD).
After all, growth, innovation, and customer trust are a concern for all, and any of those assets can be undone quickly by a security breach.
“Security is no longer just a technology issue — it applies to everyone” says Chambers. “It’s necessary for technology and business leadership to align and discuss potential risks and work together to find solutions that protect intellectual property and financials alike.”
In driving overall digital business transformation, CEOs must ensure that security is consistent across the entire organization and beyond, spanning the wider ecosystem.
They must constantly assess the effectiveness of security measures as they drive pervasive culture change, ensuring that security policies are known, communicated, and reinforced.
And there must be a deep well of security talent is available, whether within the organization or from carefully selected third-party vendors.
Moreover, just as cybercrime transcends industries and national borders, so too must security.
As we have seen, threats can arise from any number of sources, including well-organized criminal syndicates, terrorist groups and nation-state attackers, and individual hackers driven by ideology.
The board of directors can drive inter-industry cooperation with unified standards and greater security awareness, along with consistent global governance. This includes more extensive international legal measures to thwart cybercrime.
After all, even if cases never go to court, the mere threat of extensive civil litigation can discourage hacking.
“Not many boards of directors today are fully aware of security implications and the options out there…The first thing that is really required for board of directors is a working knowledge of the security ecosystem,” warns Sandra Ng, an IDC analyst who specializes in the Asia-Pacific region.
Once business leaders gain that knowledge, they must ensure that their organizations:
- Simplify and operationalize security to enable teams to respond faster and more effectively to threats.
- Drive unified, automated enforcement of policies allowing for consistent controls from the data center to the cloud to the endpoint.
- Build trusted partnerships with vendors and service providers and require that they follow information-security best practices.
- Regularly test, review, and update security solutions and policies. Cybercriminals are innovative and adaptable; so too must be the efforts to thwart them.
The Spoils of Victory: Customer Trust, Bold Innovation, and Growth
We live in exciting times as the Internet of Everything (IoE) continues to transform our world in profound and exciting ways. That means astounding possibilities for new innovations and value are being created on an almost daily basis. It also means new cyberrisks will emerge and security strategies to evolve.
As we have discussed, pervasive security is essential if organizations are to capture the exciting opportunities at hand.
Siloed solutions bolted onto individual components will only create additional complexity. However, with security integrated into every element of the architecture and company culture, malware and other threats can be met with a rapid systemic response — before, during, and after an attack.
Moreover, the critical importance of cybersecurity must be shared throughout the organization.
Security is far from just an IT concern; it must be of prime concern to the CEO, C-suite, board of directors, LOBs — indeed, every team, every individual, top to bottom.
We have explored the impact of ill-timed, heavily publicized security breaches on customer trust and brand equity, along with the critical need for organizations to drive bold innovation and overall digital business transformation.
Once pervasive security measures are in place, growth will follow.
With security underpinning every new product and service, customer trust will be protected, along with their data and privacy.
A confident company culture will support the kinds of innovative, experimental thinking that today’s marketplace demands, and new initiatives and technologies will continue to drive progress.
Cyberattacks may be inevitable, but cyber war does not have to be hell.