“The more things change, the more they stay the same.”

This saying reminds one of the rapidly changing environment in which businesses are expected to grow.

Whether it be the economic downturn or continuous load shedding that demands a strategy change to keep the business moving and, literally, to keep the lights on – businesses all have one thing in common: they need to adapt and change continuously to survive and thrive.

Things are changing rapidly in information security, too, but the risks and headaches of 10 years ago are still true today. The world is getting smaller, data is pervasive and prolific, and it’s becoming harder to contain the beast unleashed by innovations such as autonomous technologies, AI and interoperable edge computing, which, coupled with changing workforce demographics, significantly impacts how corporate and personal data is shared and stored.

The World Economic Forum’s latest Global Risk Report states that over the next 10 years, “widespread cybercrime and cyber insecurity [will be] a new entrant into the top 10 rankings of the most severe risks”. This is certainly not surprising given how digitised our everyday lives are becoming.

Similarly, the opportunity behind access to business critical information at anytime and from anywhere brings with it challenges in the use and management (often monetisation of) personal data. Take for instance the biometric or facial recognition technology that is deployed across most major global cities. Friend of foe to privacy? There is a growing concern at how the extent of monitoring and analysing weighs against the need to safeguard citizens.

Theft of confidential information is also on the rise because data is not only increasingly portable, but it’s becoming richer and more valuable as we become more digitised and hyperconnected.

Social, cloud

We cannot leave out the social networking element which is forcing us to rethink our policies regarding employee expectations of privacy against the need to protect the enterprise. And what about cloud computing? Previously the main concern was that to take full advantage of the benefits that cloud services bring about required us to relinquish control over our corporate data. But this is becoming less concerning with new emerging technologies such as confidential computing.

Information security is often considered to have three components: technology, processes and people. But be warned, information security is not just an IT problem! Business leaders need to prioritise managing cyber risk and every business function must understand the risks and threats facing them and be part of the process when developing holistic approaches to information security. Humans are still the biggest threat to security. Whether due to ignorance, carelessness or improper access controls, this top threat to cybersecurity can’t be solved by training and awareness alone.

So, what are some of the questions we need to keep top of mind and ensure we are prepared beyond just the tactical?

How do we identify and measure information security-related risks and compare them to other business risks?
How will our organisation’s business model evolve in the future, and what information security opportunities and risks will this present?
How will we ensure compliance with information security regulations and standards without being overwhelmed?
Does information security present opportunities to gain competitive advantage and have we articulated this to internal stakeholders?
Have we clearly identified what information is most valuable to your business and which information is most at risk?
Have we effectively embedded good information security behaviours into our organisation’s culture and what does this mean to the way we do business?
Are we aware of what events may cause our business to lose its trusted status? How are these being mitigated?
Do we understand the dependency we have on trading partners and do we have measures in place to ensure the security of information as it flows through our extended enterprise to third parties?

The answers to these questions might seem embarking on a costly and never-ending endeavour. But it is key to start with the basics of understand the context of the business and the specific industry risks it needs to address and the critical assets that need to be safeguarded. This is also not a one-time exercise – every aspect of the business and its environment changes. Some the key elements include:

Managing exposures: Threat assessments and vulnerability scanning, documenting baseline standards and putting in effective vulnerability management practices that are automated and continuously driving improvement.
Building secure environments: Incorporating secure practices into key business and IT processes, implementing sound information leak management and information access management strategies for the enterprise – including data and identity management.
Managing incidents: Being able to effectively and efficiently investigate and respond to cyberattacks, internal fraud investigations and regulatory queries.
Building in resilience: Having sound business continuity plans and being able to effectively recover in the event of a disaster.

Despite having implementing these elements, we can never be 100% secure, but we can continue to mature these elements and come close, at the very least, to minimising our risks while maximising the opportunities that await us.

About Solid8 Technologies
Solid8 Technologies is a value-adding distributor bringing the best of global cybersecurity software vendors and expertise that solve important security challenges and increase cyber resilience across the domains of data security, identity governance, network security, OT security and threat intelligence.

Focused Attention. Limitless Potential. For more visit www.solid8.co.za.