January is a time for reflection, which most companies try to tap into by spamming you with predictions for the upcoming year, New Year’s resolutions and new solutions to old problems. My marketing department have convinced me to jump on the bandwagon, however, I would rather like to use this space to emphasise things that we have cared about long before the turn of the year. Things that I believe are extremely important, which we will continue to focus on in 2020 and beyond.
Taking responsibility for the safety of our clients is the first thing that I ask of my colleagues. It’s an absolute core value of our company. For many years, the IT security industry has focused on finding weaknesses in our clients’ defences – the more holes we could find, the better our results (was what we thought). However, this is not the mindset or the approach that our clients need today. Organisations already know that they have holes in their security. They know that they are facing a number of cyber risks and they know that they cannot address them by themselves. What they need is help to understand exactly where they should focus their efforts, based on threats and risks, and subsequently, help with addressing the identified issues at the top of their priority list.
But FortConsult, NCC Group and the rest of the industry taking responsibility is not enough – it’s also the first thing that I urge our clients to do. Because you cannot cure a patient, who doesn’t want to be cured. In far too many companies, the board and C-level executives do not actively take part in solving their IT security issues. Sure, they might allocate a part of the annual budget to IT security, and might even say that IT security is a focus area, but this is not enough. Protecting your company requires more than that – you have to mean it and you have to remember to act on it!
Just like in any other situation, if you want your colleagues to demonstrate a certain behaviour, you have to remember that they will do as you do, not as you say. Which is why I urge all board members and top execs to take IT security seriously and act on it. And don’t worry – it will not steal attention from running your business. A skilled hacker, however, can steal market share from your company far quicker than a competitor or a disruptive technology.
The role of the CISO
Most of our consultants have experience as a CISO, security manager, technical lead or a similar position from their previous employers. They have seen first-hand the difference that a good organisational structure makes for a company’s efficiency at addressing IT security. In many companies, the CISO reports to the CIO, while IT security is still a part of the IT department. This is a problem, as it creates an imbalance in the power relationship between IT security and the CIO’s other priorities. On top of that, the CIO will rarely bring the CISO to meetings with top management, which often means that management gets a sugar-coated version of reality, as far as IT security is concerned.
So, if you are serious about addressing the cyber threats facing your business, you need to establish an organisational structure where your CISO reports directly to top management and has a realistic budget to work with – and thus has real C-level influence.
Overview before action
In 2020, we will continue to advocate establishing an overview before embarking on numerous IT security projects. Without a strategy and an understanding of your maturity level and the cyber threats to your business, you will most likely end up wasting your resources on the wrong actions.
Which is why I recommend that you start with a 360-degree assessment of your current IT security situation. In this way, you get an overview and create a risk profile before spending precious time and money on a myriad of tests, solutions and actions that may prove to be ineffective.