Building a Security-First Mindset
It has been two decades since Y2K sent the IT industry into a frenzy. And while technologically we’ve advanced in leaps and bounds, there’s much about security that hasn’t changed; the strategies and mindset have remained surprisingly static.
Conventional thinking holds that security operates in the background—lurks quietly in the shadows, handled by a set of uber-geeks in black hoodies. They remain apart from the broader organisation, tracking down bad actors through the cesspool of the dark web. They plug noticeable gaps. They use layers of expensive, bolt-on tools to build up a defence, but, like their adversaries, they do little to draw attention to themselves.
Security continues to operate behind the scenes and often, after the fact. And let’s face it, the public mostly hears about the failures—that massive data breach, the leaked information, the stolen identities—and not necessarily the successes.
But what if security strategy and thinking evolved, too? People and our all-too-human behaviours are often the weakest link in any security setup. Phishing, ransomware, and malware often use psychology to get people to unwittingly give up secrets or facilitate breaches. With a global pandemic scattering the global workforce, it’s time to make security a very public, proactive, front-line priority and to spread the responsibility for security across the shoulders of each and every person at your organisation.
Resiliency in the Face of Adversity
A company’s security team is typically relegated to the background. Actively monitoring the perimeter. Setting rules and guidelines to reduce risk exposure. Responding to incidents, protecting the organisation. Security is a balancing act. On one hand, security means managing risk, limiting exposure, and securing data and assets. On the other, security means enacting nimble processes to ensure the right employees have access to the right data at the right time, so that products get delivered on time and on budget. Despite these myriad responsibilities, security is frequently an afterthought, bolted onto organisations’ public, customer- and user-facing applications and processes. But consider this: what if security was instead at the forefront and a security-first mindset permeated the entire organisation?
Security team constraints
- Lack of alignment across security, development and infrastructure teams: Different goals, separate priorities and incompatible tools used to get the job done create friction and inefficiencies between teams.
- Budget ownership: Politics across security and IT teams generate discontent regarding where and how security funds are spent.
- Shortage of security talent: The APAC region only has 45% of the cybersecurity candidates it needs to handle increasing demand.
- Redundancy across the layers of the security organisation: Security teams that have similar skills and perform similar tasks aren’t working in concert, leading to inadequate security measures in some areas and an overabundance of measures in others.
Common security layers
- Security Operations: foster collaboration across IT security and IT operations teams.
- Security Operations Centre (SOC): monitor, analyse and correlate threat information across the organisation.
- DevSecOps: focused on infusing security practices into application development.
The pandemic has impacted organisations’ overall security posture and expanded their risk profile. Whether focused on business continuity or a return to growth in the “next normal,” every company finds themselves at different stages of their recovery. Leading organisations are using the pandemic as an opportunity to reset their security strategy, improve alignment and imbed security into the culture of the organisation—ultimately enabling business to drive successful outcomes.
Take Bold Action to Fortify the Enterprise
The “next normal” is not the world we knew before COVID-19. At the onset of the pandemic, companies needed to transform from a primarily on-site work model to a largely remote workforce. To facilitate remote work, organisations quickly deployed company assets and, in many cases, employees increased the use of personal devices to access company data. These moves were initiated quickly at the onset of the public health crisis, when the primary focus was on continued operations and business continuity. But the need for business continuity traded agility for security, resulting in a loss of control and creating blind spots for security teams, lowering their ability to respond to threats, decreasing confidence and exposing the enterprise to additional risk. As organisations moved beyond the initial focus on continuity, they were forced to deal with their new and vastly expanded risk profile. Already stressed security teams were further strained to manage and protect remote assets. Organisations now must fully assess where they are based on their stage of recovery; then they can act to fortify the enterprise to be successful in the next normal.
- Take a holistic approach to changing the security culture: Show how security can enable business, getting products to market faster with less rework and lower risk.
- Evaluate security strategies and policies: Mind the gaps that have been created and follow through on addressing and fixing the disruptions.
- Keep security talent inspired and connected: Remote work can be stressful, particularly for teams tasked with securing the enterprise. Ensure your security talent is getting the development and support they need.
- Build specialised teams: Focus on upskilling your current talent pool and working with partners to help bridge the gaps.
- Break down the silos: Look for redundancies across your security teams and tear down the silos to generate synergies and efficiencies.