10 years ago, cyber was not thought of as a risk to the business. It was just a way to do business that was faster and less expensive.
5 years ago we started to think, in very rudimentary terms, that cyber was a small risk but we knew nothing about it so we will pass it to the ICT department for them to manage.
We did this because the perception of digital risk was purely associated with the ICT of the organisation.
Since 2014 and the Target hack, C level execs, boardroom members, owners, and managers, realized that digital risk was bigger than they expected and the departments that they had relied on to secure their organisations were not, in fact, doing the job to the expected level.
Definitely not their fault, there were a couple of reasons for this, the first being that they relied on people who were more focused on keeping the lights on, making the technology work, than securing the environments.
The other was whenever they, the ICT department / managed service provider tried to secure the business environment, and they would have done regularly, they were fighting culture, fiscal and attitude issues that just made it too hard to make the business environment safe.
In this environment most ICT departments / managed service providers resorted to a number of basic strategies. Let’s get a decent firewall, let’s get a decent AV and let’s make sure that updates are applied. This is close to 10% of the requirements to secure an organisation.
Digital and cyber risks are now the number one or two risk factors on management minds in today’s business world.
They still do not know how to manage it.
The hardest part is visualization. How do those risks manifest themselves within the organisation?
No matter the size, the number of people you employ or the amount of money/revenue you make, digital risk can bring your organisation down in some cases literally overnight. In fact, at the speed of Cyber!
Business management still thinks that ICT departments and managed service companies are the answer.
They are not!
Business security is a whole of business issue with a mantra that cybersecurity is everyone’s problem. You need a team that crosses all of the lines of communication, from management to coal face.
You need people who understand the bad guys and can attack your system with the same capabilities and vigorous intention, but without the damage.
They need to approach the problem with the same intensity as the bad guys so that vulnerabilities can be exposed and removed, exploit can be counteracted and restricting a breach by monitoring the attack surface.
This will, in the end, make your environment more secure and stable.
You need someone with the right methodology, an understanding that technology is only part of the solution, and the ability to approach the huge problem in a manageable way.
It is only manageable when you address the areas apart from technology.