SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
IT security increasingly becoming a board-level issue
Mon, 16th Oct 2017
FYI, this story is more than a year old

Many organisations have traditionally placed responsibility for their cybersecurity squarely in the hands of the IT department. This is a situation that is now rapidly changing.

Throughout the world, management boards are recognising the risks associated with security breaches are so significant the issue needs to be dealt with at the very top of the organisation. It's no longer sufficient to sign off on an IT budget and then not consider the issue any further.

This change in attitude has occurred in response to the increasing number of high-profile cyber incidents affecting organisations of all sizes. From ransomware attacks that cripple core systems to phishing scams that result in data theft, the impact of attacks can be significant.

Recent examples include the WannaCry attack that targeted computers running Microsoft's Windows operating system earlier this year. The rogue code infected more than 230,000 computers across 150 countries in a matter of days.

More recently, one of the worst data breaches in United States history occurred when hackers gained access to the data stores of credit reporting agency Equifax. The personal details of more than 143 million customers were compromised.

In Australia, board-level attention being given to IT security is being further fuelled by the mandatory data breach disclosure laws that come into effect in February next year. Under these laws, any organisation that is accountable under the Privacy Act will need to alert the Australian Information Commissioner and members of the public if their data has been compromised.

For board members, another key issue is business risk. They understand that, if a cyber incident disrupts operations or causes privacy breaches, they are the ones who are ultimately responsible. Just as the fallout from any other type of decision can result in a 'please explain' request from shareholders and regulators, so too would news that failure to take necessary security steps had led to a breach.

Thorough assessment

The first step for a board is to arrange a thorough audit of all the security tools and practices currently being used across their organisation. This review should examine all critical assets and determine what measures are in place to ensure their protection.

Assets should include all IT hardware including end-point devices, servers, networking gear and backup facilities. The review should also examine all software applications and data stores including any held within third-party hosted or cloud-based facilities.

A comprehensive gap analysis can then be performed that will serve to highlight where changes and further investments are required. This also ensures that any money spent is targeted at precisely where it's required rather than ending up funding knee-jerk reactions to perceived weaknesses.

A platform approach

In many cases, following comprehensive reviews of their organisation's IT security capabilities, management boards are opting to shift away from the purchase of point products and services and adopt a platform-based approach.

Taking this approach delivers a range of advantages including:

  • Improved consistency: An IT security platform offers a more holistic and consistent approach to security across the organisation. Rather than buying particular tools or services to address discrete issues, a more comprehensive solution can be created that maximises resilience to threats.

  •  Fewer required skill sets: Reducing the number of individual security tools in use also reduces the number of skill sets required to manage them. Rather than needing to learn the intricacies of a broad range of security products, IT staff can instead focus on the chosen platform and understand it in depth.

  • Lower purchase costs: Investing in an integrated security platform can be significantly less expensive for an organisation than purchasing a range of disparate tools. Money saved can then be invested into other areas of the business.

  • Faster responses:  Having an integrated security infrastructure will allow IT teams to respond more quickly to incidents when they occur. Rather than needing to juggle different tools, a more holistic approach can be taken.

Boards also need to understand that effective security is not a one-off task where you can simply 'tick-the-box' before moving on to the next issue.  The chosen infrastructure must be constantly monitored and adjusted as the threat landscape evolves.

By ensuring security remains at the top of the list of items for consideration on an ongoing basis, the board can ensure their organisation is best placed to withstand attacks and maintain normal operations at all times.