As businesses face mounting pressure to evolve everything in their organisation – from technology, to processes, to market strategies – cyber-security becomes ever more essential.
Unfortunately, it also becomes ever more complex, writes Paul Jolliffe, DSM expert: security at T-Systems South Africa.
The reality is that very few enterprises are able to instantly digitise and transform their entire underlying infrastructure. In most cases, it’s a gradual transition from the old, to the new. For security professionals, this transition requires an ambidextrous approach: traditional security controls on legacy systems are maintained, but the new wave of platforms (social, mobile, cloud and big data) are brought securely into the enterprise.
As organisations manage and share increasing volumes of data, through ever-more open ecosystems and value chains, limiting ourselves to merely the traditional cyber-security models will simply not address next-generation digital business requirements.
In the traditional set-up, IT security teams would often try to put a lid on any new risks by simply saying “no” to new business requests or rigidly following security policies. But as we enter an era of significant change and disruption, business stakeholders are no longer accepting “no’ as an answer.
Now, security teams have a mandate to deliver business outcomes, to enable new innovations and strategies, but in as secure a manner as possible.
The concept of ambidexterity extends further outwards, beyond the realm of the IT division, as more and more social engineering attacks test for vulnerabilities of a non-technical nature. Cyber-security resilience must be woven into the domains of people, culture and processes across the entire breadth of the organisation.
Developing greater awareness and encouraging a security-conscious organisation helps organisations to combat increasingly sophisticated forms of digital fraud – such as phishing, spear-phishing, and whaling.
Another key characteristic of ‘security ambidexterity’ is the focus on proactive, preventative control mechanisms (as opposed to reactive or policy-driven controls). In this way, the enterprise and its security partners continually scan the threat horizon for looming risks, and implement lightning-fast detection and response practices.
As the enterprise becomes more ‘open’ – exposing and integrating more and more of its services into third parties such as suppliers, partners and customers – the attack surface dramatically expands.
An ambidextrous approach acknowledges this trend, incorporating early warning and response practices, to minimise risk while enabling the organisation to participate fully in new digital marketplaces and platforms.
Within the shady underworld of cyber-crime, South Africa regularly features on lists of ‘most-attacked’, or ‘most vulnerable’ counties. In 2017, it seems more local organisations will feel the pain of data theft, financial losses, and reputation damage.
In response to this escalating risk and to protect the man-on-the-street, authorities have drafted a raft of new legislation – from the Protection of Personal Information Act, to the Cybercrimes and Cyber Security Bill – which bumps security to the top of boardroom agendas.
Ultimately, these steps mean security is no longer just a technology or an operational issue, but is not a legal requirement Organisations can simply no longer afford to let security be an afterthought in their quest to embrace digital transformation and all the benefits it brings.
A recent paper by Boston Consulting Group highlights the need for company boards to understand how disruptive technologies alter their ‘cyber-risk exposure’. It notes the responsibility for leaders to support and accelerate transformation, but at the same time to “de-risk their organisations’ value creation or to make the world a bit safer for business partners and consumers.”
Only with a truly ambidextrous security posture can CIOs maintain this delicate balance between capturing adventurous new business opportunities, while always keeping a watchful eye on how to derisk the organisation.