Authored by: Kamal Brar, Vice President and General Manager for Asia Pacific and Japan, Rubrik
Cybersecurity threats are one of the major concerns for businesses across regions and industries. The financial implications of breaches and the resulting downtime are well-known and the cost to organisations is projected to compound in the coming years as the adoption of technology accelerates. Globally, $US5.2 trillion in total business value is at risk over the next five years. In recent years, Asia Pacific has been a primary target area of cybersecurity threats, undermining the region's potential for growth in the digital economy. Yet, despite the potential impact of cybersecurity threats, majority of organisations in the region lack appreciation of the value of adopting a security-first IT strategy as a vital step towards digital transformation.
As cybercriminals continue to find ways to thwart installed security systems, no organisation is exempted from intrusions and threats. IT leaders must learn how to navigate the technical security landscape by building agile and responsive teams, and bring forward the business value of security to influence company-wide priorities. In order to effectively drive and advocate for a security-first posture within their organisations, tech leaders must take decisive and specific steps supportive of this goal.
Step 1. Conduct an Honest Analysis of a Security Event
Whenever a security event of any kind occurs, IT teams should first seek to contain it, and then conduct a thorough incident analysis to pinpoint the vulnerabilities that were exploited and identify all systems that were affected.
Although these steps may appear obvious, the long-term positive outcomes of the event may be less so. An honest analysis of a security event can expose the weak points in a system but can also highlight the context in which the event occurred and prompt a more rigorous interrogation of existing security measures.
Corporate IT teams may be aware of the need to evolve their security strategy, but conflicting priorities and lack of resources can sometimes push this goal to the back burner. Often, it is only when the IT team is confronted with an event that security becomes a top of mind concern.
A cybersecurity breach can bring issues that have been overlooked, like data replication or the company's disaster recovery programme, to the surface and demonstrate the need for a more urgent response.
A deep dive into existing security architecture might reveal a need for re-evaluating SLAs, improving Recovery Point Objective (RPOs), and minimising manual processes, as well as prompt holistic reprioritisation of security’s role in the company’s IT framework.
Step 2: Reassess Your Security Strategy
A security-first posture prioritises proactive approaches to security. A few key aspects of such an approach include:
Availability: Improving visibility into all data and assets, as well as ensuring that data is clean and easily accessible for the users who need it.
Training: Implementing employee training programmes, often bringing in third-party speakers and consultants to provide additional perspective.
Internal Communication: Communicating regularly and openly with employees about what processes are changing, and what the anticipated timeline looks like for those new processes to take effect, to mitigate productivity loss.
Testing: Planning regular risk management meetings that address real-life examples of various types of security breaches and take employees through simulation exercises.
Effective change management requires IT leaders not just to onboard new processes and guide their teams through smooth transitions, but also to make choices based on where they want to go. In this way, leaders can help their teams maintain the stability they need as they progress towards their overarching goals.
Step 3: Securing Executive Buy-In
Formulating a new strategy is only half the battle. The next step is getting buy-in from stakeholders. Securing executive buy-in for investment in security is, understandably, much easier to do after experiencing a security event within the company or hearing about one on the news.
The real challenge, however, is maintaining that buy-in even as the buzz starts to wane. Secure airtime with the decision-makers by focusing on three areas:
Industry-specific Attacks: By honing in on an industry’s most common types of attack and providing real-life statistics and examples of events at similar companies, IT leaders are more likely to capture the attention of stakeholders who may downplay the likelihood of experiencing an event themselves.
Company Reputation: Trust is everything. A company’s reputation is one of its most valuable assets, and a security-first posture gives customers the confidence that their data will be well protected, and that the company is a reliable partner. In turn, this sense of trust can yield a stable and loyal customer base.
Business Continuity: A security-first approach means IT organisations are well-equipped to respond to a security event without significantly disrupting the team’s operations. However, if security is addressed as an afterthought, teams are forced to scramble for ad-hoc solutions. This kind of ‘fire drill’ is time-consuming and frustrating, and distracts teams from their long-term goals. Downtime can also affect functions beyond IT by preventing other organisations from working, thereby affecting the company’s overall productivity.
By tying the security strategy back to the business impact, IT leaders can help stakeholders understand the importance of investing time and resources into a security-first posture and can maintain executive buy-in even when the potential of a security event may not feel particularly tangible. As a whole, IT leaders ought to think of their security strategy as a reflection of their business's vision, their team’s priorities, and their company’s culture. The shift to a security-first posture is an essential element of becoming a reliable, adaptable, and forward-thinking organisation.