Global cybersecurity spending is expected to approach US$ 200 billion by 2025. Having progressively increased their cybersecurity investments over the years, there is a false sense of security and control among organizations: in the latest edition of an annual survey, only 48% of CISOs felt their organization was at risk of suffering a serious attack in the next 12 months, versus 64% last year. But the report says that this confidence is more likely post-pandemic optimism than any real improvement in preparedness; even today, 50% of the organizations are ill-equipped to handle a targeted attack.
While investment is important, simply throwing more money at the problem will not make it go away. Organizations need a change in security mindset to improve their security posture. Here are some suggestions for how they can achieve it:
Rethink priority and scope
Instead of viewing cybersecurity as a technology function, enterprises must see it for what it is – a business risk management program that is crucial to their survival. It should therefore be top priority, taking front and center in every decision. The challenge is that as enterprises continue to digitize, they increase their exposure to attack; it will be a tough call to choose between the benefits of digitization and security, because no organization can have 100% of both.
Enterprises may also want to rethink the scope of cybersecurity – how far outside the organization it extends, what all it covers, and so on. The pandemic provided the perfect setting for this. With the shift to remote working, employers were forced to bring employees’ homes within their security perimeters. In some cases, this called for redrawing the cybersecurity operating model and business continuity plans to cover a widely dispersed workforce.
Then the disruption of supply chains drove home the need to focus on risk and resilience. With vendors and distributors also experiencing the same things – for example, digital adoption and remote working – it was important to include their businesses in cybersecurity assessments. Between pandemic-lockdowns, climate change events, and acts of aggression, organizations have accepted supply chain disruption as a fact of life. Collaborating with supply chain partners to build joint cyber-resilience should be high on the agenda.
That brings us to one of the biggest shifts required in organizations’ security mindset. Historically, enterprises have been more reactive in their approach, focusing on defending against threat. But given that cyberattacks will only grow in variety, frequency and ferocity, and so will environmental risks, it is imperative to progress beyond cybersecurity, towards cyber-resilience in an attempt to thwart bad actors before they strike. Apart from being proactive, cyber-resilience differs from the old approach by accepting that security incidents are inevitable. With that acceptance, it focuses on improving detection, alertness, and response in those situations.
All these mindset changes – in priority, scope and coverage, and from maintaining security to building resilience – suggest that organizations should deploy future investments in proactive defense, anticipating attacks early, responding to events in real-time, and trying to contain damage rather than fixing it. And of course, they need to protect data and applications wherever they may be. In the digital – and especially post-Covid – age, that could quite literally be anywhere. As enterprise workloads increasingly move into cloud, and the remote work model sustains, the traditional practice of securing the network perimeter is no longer effective.
Since neither data nor the workforce is restricted within enterprise boundaries, security needs to go from being network-centric to becoming user-centric. Indeed, this is the basic principle of zero-trust architecture (ZTA), which seeks to safeguard users, resources, and assets where they are, instead of protecting static perimeters.
Finally, can there be a new mindset without new minds? It is seen that security professionals are a largely homogeneous breed, similar in background and mental make-up. Changing the enterprise security mindset calls for injecting fresh thinking by diversifying the talent pool.
Adapt security to evolving threats
Technologies, such as Machine Learning, Artificial Intelligence and the Internet of Things are expanding data, devices and touch points, and consequently, the threat landscape. Hackers are also using these technologies to mount more sophisticated attacks. Defending against cyber risk that is growing and evolving at speed, will call for an adaptable security approach. Take the example of a large enterprise, which adapted to the elevated risk during the pandemic, by modifying certain security policies, including the rules pertaining to USB connections and critical security patches. Also, by running more context-specific awareness campaigns, it was able to achieve a dramatic improvement in employees’ anti-phishing behavior.
There may also be a need to revise conventional, data center-centric IT security approaches, which are not designed to protect distributed computing assets at scale. Enterprises should consider using dynamic, adaptable security controls that can work in various environments without being centrally monitored. Security Access Service Edge (SASE) – combining a software-defined wide area network with network security services and delivering it through cloud – is a possible solution.
Alertness, awareness and anticipation
A proactive security mindset is all about preventing incidents. It is about anticipating the new normal and the new threats it could bring, and embedding protection at the design stage itself. Apart from employees, partners and customers should also be included in security awareness and education programs. Above all, organizations should beware of complacence. Being alert and anticipative – conducting regular cybersecurity drills, for example – is as essential as prioritization, cyber-resilience and adaptiveness in improving the security mindset of an organization.