Data is the life-blood of most modern organisations. As a result, the importance of protecting this critical business asset highlights the need for cybersecurity to be at the top of the agenda in both the data centre and the boardroom.
Traditionally, an enterprise’s cybersecurity team focused on IT security risks and threats, with minimal thought dedicated to big picture business risks, objectives and strategy. The team deployed controls within a defined corporate network boundary, driving a very technology-focused approach to cybersecurity. This resulted in the cybersecurity team often talking in a completely different language, peppered with security terms and acronyms, to the wider business.
Digital transformation changed the game
As a result of digital transformation, cybersecurity can no longer be handled as an after-the-fact bolt-on, separate from the rest of the business. Cybersecurity must be approached with a strategic view, considering cybersecurity and resilience as business enablers that help enterprises safely embrace the benefits of digital transformation.
The World Economic Forum now recognises the importance of high-level responsibility for the strategic governance of cyber risk and cyber resilience. Illustrated by the report “Advancing Cyber Resilience: Principles and Tools for Boards,” in which the forum concluded that “cyber strategy must be determined at the oversight board level.”
Cybersecurity strategy and business objectives must be aligned – and obtaining board-level buy-in – is key to attaining and maintaining a strong security posture.
The ever-evolving cybersecurity landscape
In the cybersecurity landscape today, many organisations are unable to reduce the increasing gap between their security posture and the widening threat landscape, with hackers constantly evolving their tools to become more sophisticated. At the same time organisations are trying to stay on top of changing security-related regulatory and legislative obligations that differ dramatically across geographies.
Spending more money isn’t necessarily the answer. Although security budgets are increasing, businesses aren’t necessarily more secure. There are a myriad of factors causing this, these include:
- Limited integration: often there is little or no understanding of the cybersecurity risk posture throughout the business, making it difficult to reduce business risk.
- Lack of prioritisation: resulting in security investments being allocated to put in place the latest tool or tech, instead of reviewing the foundations of security.
- Bottom-up technical siloes: causing a lack of alignment between the security solutions deployed and business objectives.
- No optimisation: which can mean multiple security controls installed to do the same job and failure to take advantage of virtualisation or new functionality in existing security tools.
Addressing these problems and in turn, closing the gap requires senior leadership to drive the business’s cybersecurity strategy. In addition, the cybersecurity team must also focus on managing cyber risk in accordance with the business’s goals and risk appetite.
For enterprises to become truly cyber resilient, they must also be prepared for the worst to happen. It’s no longer a question whether a hack will occur but rather what the likely consequences of a breach might be when it occurs. When a large cyber incident takes place, we see the legislative and regulatory implications constantly increase. Reputational damage can also cause serious problems. A Juniper Research report estimates the cost of cybercrime to businesses will total $8 trillion by 2022.
The Cyber Reference Architecture (CRA) is a framework and a methodology that can be used to address these challenges. It consists of tangible strategies, tactics and capabilities that provide a common language. Allowing an enterprise to have a consistent approach and long-term vision to help them align security strategies with the business and accelerate digital transformation projects, this includes:
- Understanding which objectives matter most to the business
- Defining security requirements to achieve those objectives
- Mapping out the best approach for deploying targeted security capabilities to support the plan
Long term business benefits
By using the CRA, businesses across industries can transition from a reactive model of cybersecurity to cyber maturity. This will help organisations become better equipped to visualise their future state and develop a short and long-term timeline to get there. Crucially they can then improve business outcomes by optimising their security budget and operational costs against what needs to be protected. This will enable the business to avoid financial losses as a result of cyber-attacks by managing existing and emerging risks and ensure compliance with laws and regulations.
Today, security organisations are constantly faced with decisions about upgrading tools and adding services to improve processes. However, it is critical to understand all the risks impacting the business and the state of the organisation’s security posture, with a strong cyber reference architecture, before they are able to operate optimally.