Source: www.databreachtoday.com – Author: 1
CISO Trainings
,
Leadership & Executive Communication
,
Training & Security Leadership
Andres Andreu Discusses How to Make an Organization Secure – and Successful
CyberEdBoard
Many cybersecurity leaders tout the notion that cybersecurity is a business enabler as a way to elevate their personal brand, but the idea is backed up by knowledge and real-world examples. The challenge is educating the C-suite about why cybersecurity is a business enabler.
See Also: Identity Security Clinic
Cybersecurity teams typically focus on either showing business leaders how their security is weak or implementing guardrails and protective controls. To make cybersecurity a business enabler, cybersecurity teams need to focus on opening things up in a secure fashion so that the functionality and productivity of the business can flourish. You can do this by reducing or eliminating excessive or unnecessary guardrails and controls. Continuously scrutinize controls and gauge them against business operations. Target the ones that hinder innovation and new initiatives and don’t add tangible value. These may exist in the form of technical debt.
In business, cybersecurity is no longer just about protective mechanisms. As technology advances and adds value to businesses, cybersecurity must be prioritized. The organizational goal can no longer be just business; it needs to be safe business. Safe business means protecting assets, customers and revenue. In safe business, cybersecurity enables the business and empowers it to grow.
Areas Where Cybersecurity Can Enable Business
Risk Reduction
Any cyber event – an attack, incident, etc. – can have a significant negative impact both operationally and financially. Robust cybersecurity measures are a common way to reduce cyber-related risk and avoid costly legal fees and loss of revenue.
Example: An organization implements native database column-level encryption and end-to-end encryption for applications, APIs, etc., which protects customer data both at rest and in transit and makes it harder for a bad actor targeting the organization that has custodial responsibilities over the relevant data sets. This move increases confidence in the organization by reducing the risk of data leakage and/or exposure. By going to lengths other organizations will not, the company shows that it genuinely cares about security and data protection.
Asset Protection
Cybersecurity controls and protective mechanisms can protect an organization’s assets – its data, people, technology equipment, etc. By actively protecting assets and preventing data breaches, an organization can avoid potential negative business impact, financial or otherwise. And because the organization does not have to worry about that potential damage, it can operate in a safe and focused fashion.
Example: A company is the custodian of persistently stored customer data, and it has grown over time by acquisitions. This means many different engineering team members have touched the many elements that make up this customer-facing solution. A cybersecurity-driven data discovery exercise reveals that some specific columns in a database store PII. This data is stored in the clear. The cybersecurity team works with the engineering teams to implement native column-level encryption and then appropriately modify all the apps and APIs, which protects sensitive data from bad actors, building trust with customers and partners. That trust enables the business to grow.
Adherence to Regulations and Compliance
Compliance and governance are not the same as security and protection, but there is business value in being compliant with regulations. Cybersecurity can add value to a business by ensuring adherence to relevant regulations, which reduces a company’s risk incurring fines, penalties and legal issues. Compliance also garners external validation of an organization’s level of security maturity, which provides business value – especially if the external entity is known in the industry as having deep expertise and being reputable.
Example: When a company is being considered for acquisition, it is expected to provide evidence of security maturity from some objective or external source. Entities that do not have this type of evidence will be perceived as immature or as not taking security seriously, and that may hurt the likelihood of being acquired.
Differentiation
Suffering a negative security event indicates some gap or deficiency in an organization’s security posture. All organizations have security gaps, but some never report a negative security event – probably because they have invested more resources in differentiating themselves from their competitors. Implementing strong protective measures shows customers that an organization takes security seriously, which makes it a more appealing business partner.
Example: An organization engages in honest, objective and continuous assessments and penetration tests against its customer-facing environments and publishes the unvarnished results for the world to see. This transparency shows goodwill and confidence and differentiates the organization from others that are not as forthcoming and transparent.
Customer and Partner Confidence
Customers and partners are becoming more aware of cyber risks, and they prioritize cybersecurity when they consider engaging in business. By implementing effective cybersecurity measures, a company can improve the confidence that potential customers and partners have in it. Over time, this will lead to increased loyalty and trust.
Example: A cybersecurity-driven data discovery exercise exposes many years of technical debt in the form of unencrypted files containing personal or sensitive data. This is an obvious risk if a bad actor were to access these files. The cybersecurity team engages with relevant engineering and IT teams to clean this up and shares its discovery and subsequent action with relevant parties to demonstrate its commitment to cost savings, security and data protection. This builds trust with customers and partners, which enables growth.
Innovation
As companies, innovation is a differentiator, and safe innovation requires cybersecurity involvement. By implementing cybersecurity measures that align with business strategies in the adoption of developing technologies, such as artificial intelligence, a company can improve its agility and competitiveness.
Example: An IoT manufacturing company is building sensors that will automatically send telemetry data to a cloud-based ecosystem for storage and eventual analytics. The cybersecurity team works with software developers to make sure that data is transmitted in the safest possible manner – a combination of orthogonal encryption covering both transmission streams and payloads. Given that, self-contained executables can be compiled natively for multiple platforms. That protected mode of transmission becomes portable. The hardware design team can then shift gears and change embedded platforms as needed. It doesn’t have to worry about the data transport mechanism. This improves R&D, production efficiency and agility; reduces cost; and enables the business to scale.
CyberEdBoard is ISMG’s premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community – CyberEdBoard.io.
Andres Andreu is responsible for reviewing and optimizing software development processes to ensure consistent and predictable delivery. His expertise spans information security management and cyber and web application security. Andreu has nearly 30 years of experience and has served in the U.S. Drug Enforcement Administration.
Original Post url: https://www.databreachtoday.com/blogs/cybersecurity-be-businesses-enabler-p-3668
Category & Tags: –
Views: 0
