Interview: Forcepoint on moving data protection from the SOC into the business
In many organisations, there's a fair chance that if any employee, partner, or customer brings up a security issue - they will be directed to IT or security teams.
Talk about data protection, for example, and you'll soon get a fair idea about which organisations consider it purely a cybersecurity or IT security issue, while CEOs and boards cast an overseeing eye over the bigger picture.
But change is inevitable: IT powers more parts of a business than ever before, digital transformation is something that every organisation must achieve, and security is now an integrated part of every business.
Forcepoint's Asia Pacific strategic business director Nick Savvides says that despite this change, some organisations still see cybersecurity as a hygiene function that runs parallel to, although separate from, this evolution.
"In recent years, this has started to change and cybersecurity has been seen as a key enabler in the adoption of new technologies, but I think that is still is not enough. Like technology has fused with the business, accelerating business change and even opening up whole new lines of business and ways of operating, cybersecurity must also become an integrated part of the business.
But why is this so important? Savvides says that cybersecurity can transform the way organisations deal with risk. Rather than seeing cybersecurity as a technology problem, organisations that change their perception quickly see its value as a way of improving better business outcomes.
"Rather than taking an approach that centres on securing systems and infrastructure, if you take an approach that centres on the business outcome and the data, you are taking everyone on the journey with you."
Savvides points out that of course security teams will take care of securing systems, infrastructure, and coordinated the detailed technical responses, but this all takes plan within a wider business context.
To facilitate such a perception shift, it's not just up to security leaders to convince their business executives to make the change - it should be a collaborative approach. While that's easier said than done, Savvides says there is one key reason why it cannot be ignored: Cybersecurity is a key part of any strategy that empowers an organisation to move forward and continue working with employees, customers, partners, contractors, and all of its stakeholders.
"Something that really helps here is making the broader business part of the existing response plans, where the business is exposed to and can provide immediate context to incidents as they occur. This fosters good operational integration, while the leadership works on strategic integration."
By expanding data protection across a business, risk is reduced not only in terms of being decoupled with the idea of infrastructure and security but also because it's everybody's responsibility.
Savvides says that data protection can be one of the deciding factors in terms of whether a business thrives, survives, or dies.
"Organisations have often thought about their data in silos, financial, customer, intellectual property etc. and each of these has different levels of protection. Increasingly, as economies integrate, our data is shared amongst a complex supply chain that processes, uses or collaborates with that data. We now generate, collect and analyse more data than ever before to help run the business. This makes it very attractive to malicious actors, and presents a real risk if either maliciously or accidentally lost."
He adds that there may be some people who still believe that data protection should remain firmly in the domain of the SOC and security teams.
"I always ask, 'who knows the value of the data better, cybersecurity or the business?' Invariably, the answer is the business, because they own the outcome that is derived from that data. Cybersecurity might best be placed to oversee and provide expertise, but if it's not integrated into the business it can't understand the value or context easily. This is why I don't think it's an either-or scenario, but one in which they are fused."
Forcepoint's key guiding principle is the idea of human-centric security, which essentially means that people and their interactions with data are the focal points.
"As a result, we've taken our traditional data, threat and user protection technologies, and fused in them in a way that understands humans and their use of data and in real time applies data protection to prevent incidents from occurring," says Savvides.
"While the technology is very cool on its own, what I think is even more powerful is that Forcepoint can not only help organisations rapidly move to this model but also integrate their cybersecurity practice in their business, getting better security and business outcomes. Our approach really allows an organisation to digitally transform the cybersecurity function."
Learn more about Forcepoint's offerings here.