Transforming Security Requires the Right Security Culture

4,000 ransomware attacks per day, almost five times as many attacks on the Internet of Things within only 12 months, and twice the number of DDoS attacks during the same time period: These figures are a testament to the insatiable criminal energy of the hacker community, and are certainly alarming. In the context of increasing data quantities and the growing dependence of the worldwide economy on flawless and secure data handling, the rapid rise in the number of attacks can easily cause IT departments – as well as management – to feel sheer desperation. That’s because each time data is successfully stolen or an IT infrastructure is compromised, the targeted company doesn’t just stand to lose its competitive edge: Its entire survival can be at stake. The company’s image can also take a beating: According to a Deloitte study, 80 percent of all consumers prefer products from companies who appear to protect personal data more successfully.

Bearing all of this in mind, you would think that IT security takes absolutely top priority for CIOs and garners their full attention – right? Unfortunately, the reality of the situation looks different. Everyday operations (which also include daily defense against cyber attacks) eat up the majority of every IT department’s time, and do not leave much room for strategic tasks. Further issues are chronically insufficient IT budgets and, occasionally, a rather reckless attitude: Since data theft can basically only be determined by perusing the depths of endless security logs, many IT departments have opted to stick their head into the sand and failed to modernize their IT security. However, they need to recognize that data theft is a merciless reality for every company, whether it goes noticed or unnoticed.

Furthermore, there are notorious security silos. It is a widely known fact that security is mostly organized in a decentralized fashion in companies, meaning it is divided up based on departments or applications. For instance, the CRM department takes care of CRM security, the ERP department takes care of ERP security, and so on – everyone addresses their own security issues, and hardly any cooperation takes place. As a result, gigantic, home-made security gaps arise over time, and can hardly be handled with the current systems.

Given the extent to which companies depend on smooth IT operations, such gaps are no longer acceptable these days. How can they be remedied? Naturally, the security infrastructure must be modernized. As a further step, though, the organization will need to adjust: The CIO should ideally place the responsibility for IT security in the hands of a Chief Information Security Officer (CISO). A CISO should be responsible for a wide range of tasks – including communicating with management to familiarize them with IT security and its importance. I actually hear over and over again that IT teams are under serious pressure and forced to reduce security measures so as not to impair their respective company’s productivity. It’s understandable why upper management might put them in that situation, but in doing so, they’re playing a game of Russian roulette. Instead, they should use modern technology to maintain productivity without sacrificing security. Of course, the communication between the CISO and the management must also include negotiations on increasing security budgets.

The action list should additionally include rolling out a company-wide set of regulations, securing operational measures, modernizing the system, and training employees. The CISO must take new technologies into consideration – ranging from the cloud to the IoT – while engaging with the topic of compliance, particularly with a view to the European General Data Protection Regulation.

However, removing security gaps created by factors including home-grown security silos will probably constitutes the CISO’s most important task. In order to achieve this, the CISO must ensure that all persons responsible for silos and all department heads sit down together to make mutual decisions and remove barriers to the greatest possible extent.

Integrated security is often suggested in this context. This represents a great general approach, but unfortunately, it does not really do justice to the task at hand. Instead, companies should consider security from the vantage point of the digital transformation and focus on ‘security transformation.’ This concept comprises technology, infrastructure and organization as well as necessary changes to the security culture within companies. This culture will affect all levels and departments, ranging from the boardroom to the IT department (naturally) and individual, standard-level employees, who need to be aware of the consequences of a careless click in an e-mail. This kind of active security culture is the prerequisite for mounting an effective cyber defense.

For more information on what else CIOs and CISOs need to know when dealing with specialist departments and management, please refer to our ‘Connected CIO’ booklet. You can download it here.