When it comes to cybersecurity, business leaders often make the mistake of defining their security policies based on regulatory requirements with the goal of preventing fines. This often results in them operating with a “checkbox mentality” – the idea that meeting compliance regulations and avoiding penalties ensures meeting security needs.
The problem with this approach is that compliance requirements are predictable and often change slowly, while security is dynamic and threats move at a faster pace than compliance. While achieving compliance standards, such as Singapore's Personal Data Protection Act (PDPA), is an important step for businesses to protect themselves, it is not sufficient to combat sophisticated cyber attackers who are on a constant lookout to obtain sensitive data.
In an interview with CSA, Sandeep Bhargava, Managing Director, Asia Pacific / Japan, Rackspace Technology, explained what causes this mentality and how cybersecurity cannot be treated as an afterthought with limited compliance solutions if a company wants to grow and succeed in the digital age.
“The ‘checkbox mentality’ is an interesting aspect to look at because we mostly use it in our daily lives,” said Sandeep, adding that we all suffer from it because we feel satisfied with what we can write, put into a context, define a set of steps, and then “tick mark” them like our to-do list.
“This same mindset goes into cybersecurity as well. And we know, based on how our adversaries are adapting and evolving, that checkbox mentality is not the best way to go but it fits with our natural way of doing things,” he said.
A Change of Mindset
Sandeep stated that the rate of cybercrime has increased exponentially, which is consistent with the advancement of technology. As technology advances, so do the types of cybercrimes committed.
As we enter the new normal, organisations are constantly adopting new technologies that are here to stay. As a result, new risks are constantly introduced into the environment. Due to the number of people working from home, the level of security is not as robust, and cybercriminals are definitely taking advantage of it, based on the rising number of successful attacks that have occurred in the region and around the world.
Thus, Sandeep suggests that businesses should look beyond the checkbox mentality in order to keep pace with how rapidly the threats are evolving. He claims that merely looking at compliance will do little to reduce all types of threats, whereby with security, “You have to be in the market to know what’s happening. You have to keep your knowledge continuously updated. You have to continuously form a picture in your mind of what are the challenges that organisations are facing and hence what’s relevant for you, and how do you evolve your security posture beyond just the simple compliance that might be driven off a guideline,” he explained.
As a result, he encourages organisations to constantly be on the lookout for the right people who will look beyond just compliance. Someone who is adaptable and agile, and who will constantly learn and update themselves.
Furthermore, he stated that if local businesses want to strengthen their existing cybersecurity strategy, they must integrate compliance programmes into a risk-based framework.
He explained that the risk-based framework is focused on identifying and responding to factors that can lead to failures in confidentiality, integrity, and availability. Not only that, but a risk-based format takes into account what is offered to a specific company in a specific industry because risks vary by industry.
“What you’re doing when you are applying a risk-based framework is really contextualising it in for your industry, company and country. [By] using that framework, it will help you understand and respond to factors through analysing it. And then you can start understanding what your risk parameters are.”
Nevertheless, there will be some challenges along the way when attempting to strengthen the cybersecurity strategy. According to Sandeep, the first challenge is persuading the boards to spend money on security.
More often than not, boards are debating whether their investments in certain assets are worthwhile, and security is one of them.
However, in today’s reality of increasing cyber attacks, malicious software resistance to preventative controls, and increased risks of data breaches as more data is uploaded to the cloud, security is something that simply cannot be ignored.
Without sufficient funds and management support, it can become increasingly difficult to keep company data secure as the number of apps and devices used by each individual employee increases year after year.
“From a user perspective, they don’t really want to harm their experience or speed or innovation or performance by implementation of security solutions. Technology groups don’t really want to be slowed down in bringing new features just because there are additional steps that need to be done for security measures,” he explained further.
The last challenge Sandeep highlighted is the “I've got everything under control" or “we are well protected” mentality, only to discover that months or years later, there are still things that have not been integrated or forgotten about.
Is this something that Rackspace Technology can help organisations prevent?
Although Rackspace Technology is not well known as a security company, they became involved and are well versed in it because they sell hosting to customers and want the hosting to be secure. That’s where it all started.
From there, they progressed to assisting customers in migrating to AWS, Microsoft, and Google in a single and multi-cloud environment. Customers became curious about the security of the cloud, and Rackspace Technology took initiative to learn more about cloud security.
According to Sandeep, Rackspace Technology can provide a variety of assessments to identify gaps in your environment and recommend actions to help you optimise your cloud security strategies — allowing you to meet the security and compliance mandates that are important to your business.
They also have advanced security monitoring, with a concept that allows customers to have on-demand access to a pod of security experts who will work with them to assess, implement, engineer, and manage their security and compliance challenges. He said this concept provides agile, proactive, end-to-end security services that are constantly improving security postures.
“That's what Rackspace has done, [which is] bring these skills together [and] offer them a pod concept where they can get access to eight or nine skills and you can buy it [for] 25 or 50 hours all the way up to 100 hours and mix and match the skills you need on a monthly basis,” said Sandeep. “That’s where we play, that’s where our strength is.”