Thursday, April 21, 2016

A New Paradigm in Cybersecurity

James McFarlin

The wide majority of networks and applications powering American businesses, government agencies and military services are aging legacy systems in which security was not a primary design criteria - perhaps not a criteria at all.

With the massive worldwide growth of the Internet and the security risks which accompany this global net mean that we are now paying the price for this design omission.

Cybersecurity for these legacy systems is largely 'bolted on,' an arrangement which provides security ranging from marginally adequate to nonexistent - think the massive Office of Personnel Management (OPM) personnel information misappropriation and Sony Pictures Entertainment theft, system destruction and threats of extortion.

But technology is not the only force in cyber secure operations. Misdirected or lack of executive oversight is a major factor. A recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility, found that while chief information security officers are spending more time in front of boards, information exchange is too often truncated by both the lack of cyber knowledge among board members and the communication ineffectiveness on the part of the technical officers.

The study found the "inability of technical officers to quantify and convey the actual impact of a breach," which limits its importance to the C-suite executives making decisions on cybersecurity budgets and staffing.

Accountancy and consulting firm Deloitte believes the issue to be even deeper. With cybersecurity now affecting virtually all aspects of the organization,"increased focus must be given to addressing a cultural change in the organization." In this new paradigm, "An integrated risk philosophy is mandatory, where cyber risk management and technology must be on an equal footing."

Some organizations, however, have begun top define cybersecurity as a risk management function, thus forcing the viewing of cyber risks into business terms. For many, this is a major transformation which will not come easily.

How long will such alterations take? Cultural change is difficult. But the reality of today's world means cyber breaches will deliver not only financial costs, but risks in customer retention, potential damage to reputation, brands, and in some cases, interruption of business operations.

Addressed in this view, implementing a mindset which incorporates a paradigm shift in organization thinking has become essential and increasingly, urgent.

A recent cybersecurity assessment from accountancy EY placed the issue in perspective, advising that, in cybersecurity, "High alert must be your constant state."