Of all the business risks facing organizations today, cyber-attacks were recently highlighted by executives as the most serious. That’s a heartening sign that awareness levels at the very top are at least improving. But it’s too soon to get carried away. In fact, separate research reveals that many organizations still treat security as an afterthought, until they’re breached.
It’s 2022 and organizations can do better. Closer communication between IT and business leaders can help to drive a more strategic, proactive approach to managing cyber risk. For those keen to get on the front foot against their adversaries, data-centric security is increasingly an essential best practice for doing so.
Global businesses have been buffeted by strong economic headwinds of late. But cyber still ranked as the top business risk, according to C-suite executives surveyed by PwC. Even more remarkable is the fact it beat risk factors such as inflation, talent acquisition and retention and rising production costs—which are causing sleepless nights for executives everywhere.
It does seem like the C-suite is starting to understand that cyber risk is an intrinsic part of business risk. A serious security breach could derail digital transformation projects, and cause major financial and reputational damage that may take years to recover from. Another driver may be more pertinent still for senior executives: new SEC proposals that would require boards to directly oversee cybersecurity, and make regulatory disclosures about directors’ cyber expertise.
However, old challenges persist, as evidenced by a new UK government report which looks at the state of security in several organizations. Crucially, IT respondents had the following to say:
“Not all were sure that their leadership teams fully understood the ‘scale of the threat,’ or the ‘cultural transition’ required to meet the growing cybersecurity challenge. Consequently, for many organizations in this study, leadership became more engaged in the cybersecurity challenge post-breach and has since demonstrated more serious intent to help the organization improve.”
While engagement post-breach is better than no engagement at all, it is also sub-optimal. Executives that continue to view security in reactive terms will be less engaged, and less committed to long-term, strategic thinking. As this report argues, they’re less likely to ask tough, pointed questions of their CISOs. And they’re more likely to passively approve only the most basic people, process and technology changes, to ensure bare minimum levels of compliance.
Organizations need instead to tackle security as an urgent imperative, to reduce overall business risk and enhance growth opportunities. It’s heartening to note that, despite the headline findings, respondents to the UK government study did acknowledge cyber-attacks are growing in volume and sophistication. And they agreed that security controls need to evolve as a result. The challenge is communicating that message to boardroom executives.
But what happens once the message does get through? One of the first things CISOs can advocate is a data-centric security approach. That means applying protection to the data itself rather than relying solely on controls at the endpoint, perimeter and other layers of the IT environment. Doing so ensures that even if threat actors get hold of the organization’s crown jewels – highly regulated customer information and/or IP – they won’t be able to use it. By applying the right kind of format-preserving encryption, it also means those organizations can leverage this data via analytics tools to drive innovation and growth. When it comes to mitigating cyber risk, being proactive is the best way to get results.
Find out how comforte can help your organization get on the front foot with data-centric security: