It’s safe to say that the evolution of digital technology has truly changed modern business practice.
From BYOD initiatives, remote working, and cloud based applications, to the growth of the corporate network to include supply chain members, contractors and part time workers, there are now many aspects of a network for hackers to choose from.
The problem is, these changes in how businesses operate are not being mirrored in changes to cyber security.
Cyber security experts are still not involved from day one in strategic decision.
>See also: Busting the 7 myths of cyber security
Businesses still expect the security team to take responsibility yet leave deployment in the hands of multiple departments.
It is time to address the fragmented, outdated, reactive attitudes to cyber security that still dominate today. By failing to embrace security expertise and innovation up front, businesses are incurring far too much risk.
C-suite should put cyber security at the top of the boardroom agenda.
Keeping up with the exploding attack surface
The increasingly fluid and agile way in which businesses now operate has fundamentally changed the threat landscape, creating a much bigger attack surface.
The number of applications now being used by a huge and diverse user base, both within and outside the organisation, across personal smartphones, in the cloud and, of course, IoT devices, has created a level of risk never before encountered.
Just consider that one hacked company can compromise the operations of every business along an entire supply chain, or a single contractor who is compromised by an attack can become the steppingstone into the heart of your company.
The near daily exposure of breaches confirms that cyber security practices clearly have not kept up with this exploding attack surface.
The implications of this lack of senior level participation in cyber security strategies are tangible.
First of all, security is reactive, with experts consulted after strategic business decisions have been taken and IT deployments rolled out – leaving gaping holes in the security plan that simply cannot be effectively filled retrospectively.
Second, responsibility for security is not centralised but fragmented across multiple silos – from application developers to network teams and those responsible for remote access or end-point protection.
The result is that while security may be tasked with safeguarding the business, achieving that objective can require interfacing with up to eight different groups – all of which are focused on their own areas of responsibility, rather than security.
In some cases security is not the overriding, top priority of these teams, who are focused instead on application or network performance and other fundamental functions.
Even then security procedures and tools are implemented piecemeal, creating a fragmented and confused picture across the organisation.
While security remains a secondary business consideration and security teams lack central control, the corporate risks will continue to rise.
Improving defences and driving business value
The difference between those organisations that have a top-level commitment to security and the rest is stark.
The best practice approach ensures security is considered, evaluated and incorporated into the planning stages of every corporate strategy – not addressed after the fact.
Furthermore, a dedicated security team – preferably led by a chief information security officer (CISO) – has full, centralised control over policy and implementation enabling the business to achieve uniform security across the entire enterprise, rather than the fragmented, even contradictory solutions often deployed on a departmental basis.
Critically, with security people involved in the planning stage from day one, the company can ensure best security practices are baked into the project from the outset – and that best practice cyber technologies can be embraced to both improve defence and drive business value.
Replacing a traditional – and vulnerable – rigid firewall with a software-defined perimeter that is far more fluid enables a business to remain secure despite constant operational change.
A software-defined perimeter that is disconnected from the infrastructure can drastically simplify the complexities of adding or removing cloud applications, or granting mobile access for a specific set of workers.
Organisations need to move away from outdated thinking about securing the perimeter.
Simply put, security can no longer be about managing devices and networks. It must instead be focused on managing users and applications, and tightly aligned with the business objectives associated with both.
For example, role-based access control can enable an enterprise to consistently enforce policies across the range of users and applications, directly aligning that critical security function of remote access with the overarching business objectives.
This approach has the added benefit of blocking unauthorised lateral movement, which is the hallmark of modern data breach vectors.
>See also: Top 6 cyber security predictions for 2016
If all applications are protected by real-time role-based access control, and if all user access is limited to only what a user needs to do their jobs, then the compromise of one user does not grant access to everything. Lateral movement is constrained and the breach is contained.
Organisations that embed this software-defined model within strategic planning not only minimise risk but also support business innovation.
Consider a company looking to deploy a new application to its workers that will increase productivity by 40%. Roll that out to the 50% of staff that work at HQ and the benefits are clear; but build in security planning from day one and that application can be securely extended to mobile workers on their smart phones and part time contractors – suddenly the 40% productivity gain is massively extended, boosting performance and delivering ROI for the application itself far, far quicker.
Cyber security needs to be led from the top.
When security is done well, it is not only a defensive strategy, but it enables better enterprise performance.
Those organisations with a C-suite that prioritises cyber security are not only in a far better position to minimise risk but also well placed to drive tangible business value.
Sourced by Adam Boone, chief marketing officer, Certes Networks