In July 2019, research and consultancy firm Gartner published a list of “8 reasons why more CEOs will be fired over cybersecurity breaches — and how to prevent it”. It’s a funny headline, but a serious issue.
In the article Keep Your Job After a Cyberattack by Gartner Australia’s Susan Moore, the company reported that it is the CEO that typically shoulders the blame for cybersecurity incidents — even more so than the IT executives.
The article goes on to explain how senior executives can build “defensibility” by doing things like “throwing money at the problem”. Perhaps more helpfully, the report notes there is a cultural disconnect whereby security continues to be treated as a technical problem despite what the Board has known for more than a decade.
Security is a business problem.
You only need to look at the list of whitepapers available from various cloud providers, CDNs, and SaaS solution vendors to know security and compliance is becoming more complicated as these technologies gain traction in the engine rooms of digital transformation.
The key to reducing this complexity is to close the loop on the ‘technical’ vs. ‘business’ debate by providing business leaders with better tools to monitor their technical systems. Not with arcane measurements of bits and bytes, but with an added layer of context that reflects the established compliance policies of the organization.
It’s not that CIOs are unsympathetic to the needs of business leaders. Like all members of the c-suite, they are increasingly sensitive to the expectations of regulators, the media, the markets, and their customers.
However, most organisations stumble at the first hurdle. CIO’s understand there is a connection but often fail to translate technical activities and metrics into the business perspective of security and compliance policies. Those bits and bytes do add up to ‘real-world’ business activity but it’s often difficult to see how.
You need to go through a discovery process to understand where the data is, how and why is it accessed, where the vulnerabilities lie, what processing is done to it and so on. Only when you have a picture of your digital operations and how it relates to your policies, standards, and procedures can you accurately generate a meaningful view of compliance.
It’s one thing to go outside and get consultants to perform security audits and penetration testing, but that’s a point in time. It’s another thing entirely to monitor whether you continue to meet your own rules and guidelines.
You see, today’s digital systems constantly evolve. You might have been meeting your compliance obligations yesterday, but can you be sure of the same today? To know that, it’s necessary to monitor digital activity at a higher level of abstraction.
Your IT department is already overflowing with tools that can report on network and application activity, but these are objective measures. These tools don’t make value judgements about whether an action is a good or a bad thing. Whether this of that transmission is business as usual or an internal compliance breach.
By establishing benchmarks and parameters for security and compliance and then translating those into technical activities and metrics, your organisation can monitor its digital systems and know if your standards are still being met.
Then the c-suite can see on a dashboard whether they have had any security policy or regulatory compliance breaches. It becomes a simple binary question. “Has policy been breached?” “If so, where?” More importantly, they can see this without a computer science degree. That way they can concentrate, not on the technology, but on the delivery of customer value.
Ikara’s Echelon platform can help you measure and monitor against a set of compliance guidelines by taking those metrics, that monitoring, and extrapolating them out to a layer of abstraction that tells a story about your business rules and procedures.
Save your job and visualise your due diligence