Why Cybersecurity Tools Aren’t Enough
By JC Gaillard, Managing Director at Corix Partners
Irrespective of what many of us may say or write, the cybersecurity agenda remains dominated by products and technology.
Of course, the problem has a technical dimension and the protection of any firm against cyber threats will require the application of technical countermeasures at a number of levels.
But there are countless tech vendors and service providers out there trying to sell their products as a silver bullet that will protect you from anything. And countless small firms still holding simplistic views on cyber threats: “We’re fine; all our data is in the cloud”
For any organization above a certain size, effective and efficient protection can only result from the layered application of protective measures at the people, process, and technology level. And in that order.
It has to start with people. And that doesn’t mean rolling out a security awareness program. Middle management has always had the tendency to jump straight into the solution space at the back of a simplistic analysis of the problem, but at the heart of the “people” aspects of any security strategy, lay issues of corporate culture and corporate governance.
“Good security governance” is not a piece of useless consultant jargon. It is an essential protective layer for any organization.
It ensures a visible endorsement of security values from the top-down, brings clarity around security roles, responsibilities and accountabilities across the whole organization, and more importantly, it is the cornerstone that “get things done” around security through an effective and efficient layer of reporting.
Only the actual execution of security measures (i.e. the actual deployment of security processes and the technology required to support them) will protect the business. And that’s where many organizations – larger and smaller – have failed over the past several decades in spite of colossal investments in cybersecurity: Security projects get deprioritized halfway through or focus only on non-existent low hanging fruits; over time, people get demotivated and leave, nothing gets finished and half-baked “solutions” proliferate: According to a 2020 survey by Cisco, the average organization now uses 20 different security technologies.
Let’s get this straight: This is a plain governance failure and it has been plaguing organizations – large and small – around security for the best part of the last two decades.
Of course, the pandemic shifted priorities in a big way. Cisco’s 2021 Data Privacy Benchmark report noted that privacy budgets doubled to an average of $2.4 million in 2020. And, “Data Privacy has become a top area of responsibility for security professionals, with 34% of survey respondents indicating privacy is one of their core competencies and responsibilities.” But how that money is spent means avoiding the mistakes of the past. In order to break the spiral of half-baked solutions–and target the management and governance roadblocks that have prevented progress in the past–most organizations need to act at three levels:
First, get a good understanding of your security maturity posture to start with and set realistic timeframes around change. Change takes “the time it takes” and there may be no quick wins.
Then, be objective about the skills and resources you have to deliver change and set realistic improvement goals. Jumping straight at ineffective “virtual CISO” solutions in the hope of making the problem disappear will not help if nobody is there to execute.
Finally, stay focused. Security transformation often involves a change in mindset which needs stability to develop and takes time to set in. Changing directions or priorities every time something happens in the business or elsewhere will simply kill any transformational momentum around security.