As we look at the current digitally enabled business landscape, we see the impact of forced rapid organizational changes that had been delayed for quite some time — changes that centered on how our employees were going to be able to continue to perform their work duties, no matter where they were. How businesses would accelerate their shift to cloud-enabled capabilities all while security teams were doing the best they could keeping up with the speed of change to secure their respective organizations.
There have been many lessons learned in a short time frame, but these are perhaps the most notable:
- The critical need to adapt as quickly as possible to support members of our workforce and ensure they were able to securely access the systems, applications, and data they needed to without interruption.
- The ability to succeed in the face of adverse events while unlocking opportunities that enable the business to thrive.
Many organizations found ways to thrive as they drove through rapid changes all while evolving overall operations. Pause for a moment and realize just how impressive that has been, given all of the adversity we have had to endure.
Digging deeper into the key lessons learned, we began to realize that it has become critically important for us to shift our approach from strictly security to one that is focused on making our organizations cyber resilient. As businesses swiftly move forward with the continued adoption and evolution of DevOps, shifting to cloud environments and overall digital transformation efforts, security has consistently been left behind. Although not explicitly attributed to some of these initiatives, the frequency of high-profile security incidents have occurred and will continue to do so. This digital evolution has driven security to the forefront of business leaders' priorities.
In the "2021 Global Risks Report," released by the World Economic Forum, "cybersecurity failure" has risen to the No. 4 global risk in terms of most relevant and probable over the short-term (zero to two years). Only societal risks (such as infectious disease) and environmental risks (such as extreme weather events) are of higher concern. Take a minute to consider that and ask yourself: Have I taken the right approach to help ensure we are doing the right things to help reduce that risk for our business?
Just as security's role within organizations had begun to make strides in improving through awareness as well as earlier involvement in projects, the sheer number of initiatives and speed of delivery has continued to scale at a pace that has made it extremely difficult to keep up. Unfortunately, if security teams don't figure out how to embed security at the speed of change, they'll be left behind. The business will continue to deliver innovative new solutions to market, while providing better digital experiences to customers, partners, and employees.
Investments in transformation efforts can be meaningless if they cannot properly secure the business, its customers, or other critical assets.We must shift to a cyber-resilient model, one that aligns with business outcomes while supporting the level of risk the organization is willing take on. One of the main changes comes in the form of culture and mindset for security teams. We can no longer simply say we are aligning to the business needs; we must engage the business-line owners and collaborate with them to identify what is most important to them and what success equates to for their respective business area. The conversation must enable a true partnership that ensures ongoing alignment and delivers the best possible outcomes. This shift is one that centers on how security can move at the speed of change to secure what matters most to the business.
By understanding these areas of importance, we can focus our attention on how to prioritize where to best place our protection and detection mechanisms, while applying capabilities to minimize the impact when a security incident occurs. It is of the utmost importance for us to finally realize that we cannot continue to take an approach that attempts to apply the same level of security across all assets. No matter the amount of money and resources we put in place attempting to prevent cyber incidents, they will continue to happen. The cyber-resilience aspect here is to have a solid foundation in knowing your specific organization's business operational needs and aligning your program in a manner that emphasizes your approach to secure those critical business assets (applications, data, and digital identities).
From the business perspective, being able to provide security at the speed of change is required to drive seamless delivery of innovative solutions that allow for competitive differentiation and faster consumer adoption. Think of it this way: How long did it take for development and operations teams to change their approach from waterfall to agile to DevOps? Those organizations that are still either using a waterfall approach or slowly shifting to modern methodologies have seen their competitors pass them by. A couple of simple ways to initiate the process include:
- Build true collaborative partnerships with the business now, leveraging a model that goes beyond simply security and instead focuses on being cyber resilient.
- Institute a culture of collaboration by encouraging the security team to engage with the business line owners to understand fully what is most important and what success looks like.
Unfortunately, we won't be able to protect everything to the same level, but if we don't embed security into new innovative capabilities the business is looking to implement, then security will continue to play catch-up. Therefore, let's ensure we invest in the areas that are of highest priority to keep the business moving forward when something happens. This approach will allow for security to keep up with the speed of change.
About the Author
Rob Aragao is Chief Security Strategist for the Americas within the Enterprise Security business unit of Micro Focus. In this role, Mr. Aragao is responsible for working with organizations collaboratively to drive strategic initiatives around cybersecurity and alignment with business objectives and desired outcomes. He also provides thought leadership and insight regarding the ever-changing global threat landscape.