As Christmas fast approaches, and many are waiting for letters from Santa, CISOs and cyber security experts around the world are busy putting plans in place for 2019 and reflecting on what could have been done differently this year. The high-profile data breaches have been no secret – from British Airways to Dixons Carphone to Ticketmaster – and the introduction of GDPR in May 2018 sent many IT professionals into a frenzy to ensure practices and procedures were in place to become compliant with the new regulation.
What the introduction of GDPR did demonstrate was that organisations should no longer focus on security strategies, which protect the organisation’s network, but instead focus on Information Assurance (IA) which protects an organisation’s data. After all – if an organisation’s data is breached, not only will it face huge fallouts of reputational damage, hits to the organisation’s bottom line and future prospecting difficulties, but it will also be held accountable to regulatory fines – up to as much as €20 million, or 4% annual global turnover under GDPR. Stolen or compromised data is therefore an enormous risk to an organisation.
So, with the festivities upon us and many longing to see gifts under the tree, CISOs may be thinking about what they want for Christmas this year to make sure their organisation is kept secure into the new year and beyond. Paul German, CEO, Certes Networks, outlines three things that should be at the top of the list.
Backing from the Board
Every CISO wants buy-in from the Board; and there’s no escaping from the fact that cyber security must become a Board-level priority. However, whilst the correct security mindset must start at the top, in reality it also needs to be embedded across all practices within an organisation; extending beyond the security team to legal, finance and even marketing. The responsibility of securing the entirety of the organisation’s data sits with the CISO, but the catastrophic risks of a cybersecurity failure means that it must be given consideration by the entire Board and become a top priority in meeting business objectives. Quite simply, a Board that acknowledges the importance of having a robust, innovative and comprehensive strategy in place is a CISO’s dream come true.
A simple approach
A complicated security strategy is the last thing any CISO wants to manage. The industry has over-complicated network security for too long and has fundamentally failed. As organisations have layered technology on top of technology, not only has the technology stack itself become complex, but the amount of resources and operational overhead needed to manage it has contributed to mounting costs. A much more simple approach is needed, which involves starting with a security overlay with will cover the networks, independent of the infrastructure, rather than taking the narrow approach of building the strategy around the infrastructure. From a data security perspective, the network must become irrelevant, and with this flows a natural simplicity in approach.
A future proof solution
The cyber landscape is constantly evolving; with new threats introduced and technology appearing that just adds to the sophisticated tools that hackers have at their disposal. What a CISO longs for is a solution that keeps the organisation’s data secure, irrespective of new users or applications added, and regardless of location or device. By adopting a software-defined approach to data security, which centrally enforces capabilities such as software-defined application access control, data-in-motion privacy, cryptographic segmentation and a software-defined perimeter, CISOs can ensure that data is protected in its entirety on its journey across whatever network it goes across while hackers are restricted from moving laterally across the network once a breach has occurred. Furthermore, the solution can protect an organisation’s data not only in its present state, but into the future. By enforcing a solution that is software-defined, a CISO can centrally orchestrate the security policy without impacting network performance, and changes can be made to the policy without pausing the protection in place.
Three simple wishes
High-profile data breaches won’t go away any time soon, so it is the organisations that have the correct mindset, with Board-level buy in and a unified approach to securing data that will see the long-term advantages. Complicated, static and siloed approaches to securing an organisation’s data should be a thing of the past, so the good news is that, in reality, everything on a CISOs Christmas wish list is attainable (although not able to be wrapped), and should become a reality in the new year.
