In our future-oriented environment, the idea of looking backwards rather than forward seems rather counterintuitive. But cybersecurity experts are shifting in that direction as we strive to help organizations shield themselves from attacks and prepare for tomorrow’s threats.
According to my colleague Pete Hobson at PwC, “There’s so much effort spent on what could happen within a system. But what did happen?”
His point is that cybersecurity has traditionally focused on managing risk within business applications based on what the hackers might do next – since they are always thinking ahead. Cybersecurity experts have concentrated on access control and user roles within the system, or vulnerability management, or code scanning. These are of course important techniques that use technology strategically.
However, we now have technology that enables us to see how an attack happened, to learn from and apply that knowledge. Artificial intelligence, machine learning, data analysis: Huge volumes of structured data within business applications can be analyzed to recover and protect against exposure and better understand the organization’s risk portfolio. Going forward, continuous threat monitoring of business applications will become a must. Companies will not survive without such technology.
Next-Generation Methods for Thwarting Danger
When we look at the major threats today and those looming on the horizon, we are seeing a dramatic rise in ransomware attacks as businesses grow increasingly reliant on digital infrastructure for financial transactions. Ransomware typically involves hackers impersonating internal users.
In seconds, an attacker can easily guess the email address of targeted individuals by looking at what responsibility they cover and for what company (e.g. social media), then send a message that will look just like a legitimate email from the company. The only thing the attacker needs then is for the recipient to click on a link. That can be enough to impact business processes, make payments, download credit card and bank account information, and so on. Companies are desperate and often agree to pay ransom, therefore are increasing the incentive to break in.
To avoid the risk of ransom, impersonation of users must be recognized very quickly to stop the attack in time. Thus, security processes supported by innovative and next-generation technologies must be in place to mitigate the unintended errors that people will inevitably make.
In short, this will require centralizing and automating everything – not just user-access administration but controls, monitoring, and audit. This will be crucial as companies move toward heterogeneous and hybrid landscapes. Monitoring must encompass both internal and external threats. Companies will shift towards a model that assumes more flexibility in the way they manage segregation of duties – and ironically, that actually allows for more internal trust.
This model will involve monitoring and controlling employees to be sure that they cannot be impersonated by external people they don’t trust.
An Evidence-Based Approach to Gaining Buy-In for Security Investments
That said, I am well aware of the challenges for security personnel in convincing business leadership to make these investments. The security team is typically requesting budget resources from an audience that is far more focused on sales and finance and bringing money into the company.
How can you bring their attention to the urgent need for security and get buy-in?
One way is to use data analytics and threat detection to show evidence – again, not about what might happen, but what has happened.
Talk about the things people care about from a business perspective. Communicating clearly is paramount, avoiding heavily technical language about the methodologies you use and acronyms that are incomprehensible outside the security realm.
Keep in mind your stakeholders and the issues that matter to them, and tie the conversation back to a business risk that is meaningful. In the end, security measures are in place to support the business in running better and more securely, and must be implemented according to the end-user experience.
An Embedded Security Culture
At a higher level, the best practice is to embed security at every level of the organization.
Chief information security officers will become more important in that regard. The trend is moving toward integrating security professionals into the process of deploying solutions from the outset.
Any type of software implementation is focused on enabling the business – making it faster, driving efficiencies, and ensuring business continuity. The conception in the past was that incorporating security would do the opposite.
But instead of going through all this effort over months and years, only to discover a problem after going live, the security team can circumvent that by looking at a requirement in a different way. Instead of a more expensive and less effective deployment, addressing security, compliance, and controls at the start and throughout the project can produce a better, more comprehensive solution.
Emphasis on Efficiency
Finally, I recommend that security teams continuously challenge themselves to think broadly about different ways to solve a problem. Consider not only the tools at your disposal, but also whether there might be a configuration you can flip, or an analytic you can build, or a restriction you can put to place.
Try to find a way that is least intrusive to your business operations. Driving the efficiency that the entire organization values is how you can drive buy-in – the acceptance to say yes, security can be part of this because we’re finding ways that are invisible and allow our business to operate and flow as it should.
To Learn More
Many thanks to my colleague Pete Hobson, PwC Director of Cyber Risk and Regulatory, for his contributions to this article.