Story image

IT security increasingly becoming a board-level issue

16 Oct 2017

Article by Daniel Crnkovic, Content Security General Manager.

Many organisations have traditionally placed responsibility for their cybersecurity squarely in the hands of the IT department. This is a situation that is now rapidly changing.

Throughout the world, management boards are recognising the risks associated with security breaches are so significant the issue needs to be dealt with at the very top of the organisation. It's no longer sufficient to sign off on an IT budget and then not consider the issue any further.

This change in attitude has occurred in response to the increasing number of high-profile cyber incidents affecting organisations of all sizes. From ransomware attacks that cripple core systems to phishing scams that result in data theft, the impact of attacks can be significant.

Recent examples include the WannaCry attack that targeted computers running Microsoft's Windows operating system earlier this year. The rogue code infected more than 230,000 computers across 150 countries in a matter of days.

More recently, one of the worst data breaches in United States history occurred when hackers gained access to the data stores of credit reporting agency Equifax. The personal details of more than 143 million customers were compromised.

In Australia, board-level attention being given to IT security is being further fuelled by the mandatory data breach disclosure laws that come into effect in February next year. Under these laws, any organisation that is accountable under the Privacy Act will need to alert the Australian Information Commissioner and members of the public if their data has been compromised.

For board members, another key issue is business risk. They understand that, if a cyber incident disrupts operations or causes privacy breaches, they are the ones who are ultimately responsible. Just as the fallout from any other type of decision can result in a 'please explain' request from shareholders and regulators, so too would news that failure to take necessary security steps had led to a breach.

Thorough assessment

The first step for a board is to arrange a thorough audit of all the security tools and practices currently being used across their organisation. This review should examine all critical assets and determine what measures are in place to ensure their protection.

Assets should include all IT hardware including end-point devices, servers, networking gear and backup facilities. The review should also examine all software applications and data stores including any held within third-party hosted or cloud-based facilities.

A comprehensive gap analysis can then be performed that will serve to highlight where changes and further investments are required. This also ensures that any money spent is targeted at precisely where it's required rather than ending up funding knee-jerk reactions to perceived weaknesses.

A platform approach

In many cases, following comprehensive reviews of their organisation's IT security capabilities, management boards are opting to shift away from the purchase of point products and services and adopt a platform-based approach.

Taking this approach delivers a range of advantages including:

  • Improved consistency: An IT security platform offers a more holistic and consistent approach to security across the organisation. Rather than buying particular tools or services to address discrete issues, a more comprehensive solution can be created that maximises resilience to threats.

  •  Fewer required skill sets: Reducing the number of individual security tools in use also reduces the number of skill sets required to manage them. Rather than needing to learn the intricacies of a broad range of security products, IT staff can instead focus on the chosen platform and understand it in depth.

  • Lower purchase costs: Investing in an integrated security platform can be significantly less expensive for an organisation than purchasing a range of disparate tools. Money saved can then be invested into other areas of the business.

  • Faster responses:  Having an integrated security infrastructure will allow IT teams to respond more quickly to incidents when they occur. Rather than needing to juggle different tools, a more holistic approach can be taken.

Boards also need to understand that effective security is not a one-off task where you can simply 'tick-the-box' before moving on to the next issue.  The chosen infrastructure must be constantly monitored and adjusted as the threat landscape evolves.

By ensuring security remains at the top of the list of items for consideration on an ongoing basis, the board can ensure their organisation is best placed to withstand attacks and maintain normal operations at all times.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.