By Martin Walshaw, SE Team Lead - Sub-Saharan Africa, F5 Networks
A wasted skill is a wasted opportunity to maximise commercial ambition. It can also put you at risk. In today’s highly competitive market, you need the right talent in the right place and at the right time. More than ever, executives must bridge the gap between IT teams and the boardroom to make the best strategic decisions. This is particularly true when it comes to security.
Experts that design security architecture in collaboration with business leaders will be far better placed to adapt to, and thrive in, today’s complex threat landscape. Those that fail to embrace teamwork will see misalignment across vital areas of the business, which can lead to costly inefficiencies and customer data at risk from cybercriminal activity.
Executives are from Mars, security experts are from Venus
A security breach’s impact is often hard to quantify. A recent F5 commissioned study by the Ponemon Institute noted that cybersecurity costs for companies rose 22% in 2017 to an average of $11.7 million. Meanwhile, the number of breaches increased on average 27% year-on-year. Hits to the bottom line are recoverable - hits to reputations are long-lasting.
Security experts, such as CISOs and design architects, are often perceived to be from different planets than executives. Succeeding in the digital economy requires intricate, substantive joined-up thinking. Technological ignorance or disconnects are no longer tenable.
Unfortunately, many executives still make short-term IT decisions based on cost alone. The Ponemon Institute report echoes this, voicing concern that investments often showed a ‘lack of balance’. For example, the biggest spend percentage was on perimeter controls. Nevertheless, cost savings associated with technologies in this area were only fifth in the overall rankings. We can, and should, reassess how we spend. First and foremost, this means a greater focus on securing applications -- the prime gateways to sensitive information -- whether in the cloud, on-premises datacentre, or any other environment.
Addressing the balance
By following three simple steps, businesses can ensure greater alignment with their security experts to anticipate the future, rather than ineffectually reacting to it.
· Step 1 – Conduct a disaster recovery or penetration test exercises
Involving executives in the planning and execution of disaster recovery or penetration test exercises brings the commercial reality of cyber-attacks to life. This approach goes beyond a standard security audit because it aims to uncover vulnerabilities in IT security and the real-world effectiveness of operations against human attacks. Benefits include identifying risks and showing the magnitude of their potential impact on business operations. This is important information for executives and helps CISOs and architects prioritise resources and planning to ensure accurate and efficient security spend.
· Step 2 - Calculate the cost of business downtime
The average downtime cost depends on numerous factors, including revenue, industry, outage duration, affected stakeholders and time of day. Irrespective of circumstance, network or application failures from cyber-attacks have a direct impact on operations. Being able to attribute a specific cost to business downtime helps architects justify the right security infrastructure to monitor, restore and restart systems.
· Step 3 - Involve an external specialist
Without executives understanding security best practice it can be hard for CISOs to drive meaningful discussions to improve cybersecurity strategies. Inviting an external consultant into the conversation can bring new perspectives, offer valuable threat intelligence insights, help outline market-relevant cyber trends, and advise on tackling hacker behaviour.