Why you shouldn’t think of security as an “industry standard” or “competitive advantage”
Rethinking the cybersecurity, privacy and compliance perspective
Jan. 30, 2020 | By: Kory Patrick
Clients, especially those who are not in the financial services or healthcare industries, often tell me, “I want the appropriate level of security based on my company size for my industry,” or “I want to be more secure than my competitors.” When measuring success, we’re conditioned to speak in narrow definitions of markets or competitive advantage, but as these continue to evolve and grow—so does our thinking about security. Many organizations struggle to categorize themselves into just one vertical or line of business, and when they do, it’s often to cast a favorable light. When it comes to security, privacy and compliance, “industry standard” or “competitive advantage” can be a risky thought process. Attackers and cyberhackers don’t rely on industry standards, market norms, competitive advantage or regulatory compliance to define success the same way we do.
Most adversaries don’t sit down one morning and say, “I’m going to attack industry X today. Who are the least secure people in industry X?” They are typically entrepreneurs who look for an opportunity, discover a vulnerability and take advantage until they’ve acquired enough information or taken control over a system. Once they figure out what they have—regardless of industry—they monetize it to their advantage. We cannot define the relative success of our security, privacy and compliance programs narrowly in the same way we often try to define the success of our business.
The longevity of technology and IT systems
Part of the reason we don’t think about our businesses in this way yet is because the future didn’t happen as fast as we imagined it to. Much like a retiree who miscalculates their longevity and outlives their retirement savings, information systems that were designed and put into use 30, 40, even 50 years ago weren’t designed for the security and IT requirements of today. People didn’t believe we’d still be using them, and therefore, security became an afterthought. Through deferred (or minimal) investment, we’ve squeezed every ounce of life from legacy technology. And this is a very important topic, in hindsight, because it’s as if we didn’t have the foresight to think they’d be at play, but we have a pattern of making legacy technology live longer. What we’re rolling out today could last well beyond our anticipated lifespan and raises the question: what are we not considering? Or worse, what cybersecurity, privacy and compliance investments are we knowingly deferring because we can’t articulate them in terms of a successful business savings?
IT security is about community while driving innovation
There’s an opportunity for service organizations, designers and innovators—our information security community as a whole—to be thinking and talking about the longevity and future of our technology in terms of security, privacy and compliance. Today, we need more of a coordinated, less competitive effort in both the public and private sectors. If you spend any time on social media and look at some of the pioneers of information security, you’ll find that it’s an incredibly small, tight-knit community where people openly share information and support each other. Sometimes the community struggles with articulating the business value of security, privacy and compliance because information security is often mistaken for an information system where we expect minimal investment and a maximum lifespan. IT security, privacy and compliance are not a competitive advantage—it’s a community. When sensitive information is breached, it’s not “advantageous” that the loss was by the competition or outside your industry. Competitive advantage is not the place when it comes to the brass tacks of protecting people and their data, because every breach impacts all of us negatively.
We must continue to address and solve information security challenges together. And on the other side of the coin for process innovators, technology implementors and tool developers, keeping competition alive and well continues to drive innovation. Establishing a common defense and developing long-term investments provides us with the best chance to defeat a common adversary.
Kory Patrick is the Risk and Security Practice Leader at TEKsystems. He leads advisory and consulting services for the enterprise environment focused on reducing risk to the business by addressing security, privacy and compliance challenges through effective governance, identity and operations management in cloud, on-premise and remote environments.”