How to empower a security-first mindset

DXC recently partnered with Harvard Business Review Analytic Services to uncover what non-IT executives are concerned about when it comes to security. What we found was that executives are still very much concerned about an inability to detect and prevent data theft and phishing attacks as well as protect unsecure networks and software. In fact, more than half (55 per cent) of those surveyed don’t feel well protected, reflecting a lack of confidence in their organisation’s cyber defence programs.

In order to become more cyber resilient by rebuilding confidence and better protect the entire attack surface, it’s important that security is integrated into every technology and process, rather than treated as an afterthought. This involves a mindset shift that sees security as a business problem among the c-suite, not just a technology problem.

There are three key areas security executives should focus on to get their non-technical counterparts to adopt a security-first mindset, while showing the business value of having a robust cyber security posture to the entire business.

Authenticate … always

Through our research, we found that while 80 percent of organisations have expanded the collection and use of data across their organisations, not nearly as many assess risk and build in new security measures every time they undertake initiatives to do this. This shows a clear disconnect between the data flowing through the organisation and how protected it is.

This has created new challenges around how to protect this data. On top of this, if organisations want to gain valuable insights from the data they have, then they need to know how it’s captured, retained and used across the organisation, as well as where it resides and who has access to it.

By adopting a Zero Trust approach, businesses can gain greater visibility on what’s happening within the organisation and focus greater attention on the security of the data itself. This is because when you treat every user and every piece of data as a potential threat, this inherently results in stronger authentication and verification processes that only grant employees or external users access based on approved factors such as identity, location or device.

Security to mitigate damage far and wide

VIEW ALL

If the past 18 months has taught us anything, it’s that having a solid business continuity plan allows businesses to be more resilient and navigate any unforeseen disruption. Those organisations that had business continuity plans in place were able to quickly enable remote workforces and implement new collaboration and communication tools, without compromising on security. Those that didn’t were forced to spend time and resources catching up, leaving their organisations vulnerable to cyber risks including extortion-based ransomware, phishing and business email compromise.

Only almost half of respondents (49 per cent) we spoke to said security measures at their organisation were tightened when staff began to work from home and remain tight today. This leaves a significant proportion of businesses more susceptible to increased risks. As the unfortunate reality is that cyber risks aren’t going anywhere, organisations need to be prepared for not only if a breach happens, but when, and need to have plans in place to manage any reputational damage, asset losses or operational setbacks.

While assessing the risk landscape and building strong business continuity and disaster recovery plans should be a collaborative effort among business leaders, security plays a crucial role in driving this forward. This can be achieved by providing valuable insights on compliance and regulatory considerations, identifying all internal and external risk factors, and putting measures in place to contain a breach and protect the software supply chain should one occur. Designing this with business risk in mind is an important way to ensure security acts as a tool to protect the organisation's reputation and safeguard credibility.

Focus on culture

We also conducted the DXC Beyond Disruption survey last year to unpack what’s driving technology decisions for Australian businesses. We found that while cyber security has been cited as a top focus for recovery, only 33 per cent offer security training for their staff – overlooking just how important it is to protect employees through awareness and education.

Employees will continue to work remotely, so security executives should collaborate with the rest of the c-suite to ensure that a security-first mindset is not only driven from the top-down but reinforced regularly. This can be done through regular education and awareness training sessions that cover all aspects of security for employees – both work-related and personal. It’s also crucial to test employee knowledge on how to spot phishing scams, as employees are the first line of defence for an organisation. Having buy-in from the wider C-Suite will also help to establish security champions and allow these principles to cascade through the business.

As businesses move further away from operating in "crisis mode" and focus on more strategic investments, now is the time for security to drive collaboration among executives to ensure authentication processes are in check, business continuity plans are strong, and security is embedded in an organisation's DNA.

Tim Miller is the senior principal for security, APAC at DXC Technology.