October 8, 2020

People, Processes, Technology: An Introduction to a Comprehensive Approach to Cybersecurity

This blog post was originally posted on Medium, written by our Chief Information Security Officer / Data Protection Officer Marco BrondaniPhoto by Kevin Ku on Unsplash

2020: a year that is changing the lives of most of us, wherever we live, whatever we do, however, we love. Asian, European, African, rich or poor, healthy, or with preexisting conditions. An unexpected pandemic has touched everyone, and how we choose to live or survive to it is a common challenge. While masks and other face covers have become a tool for protecting ourselves and others from the spreading of this terrible virus, new ways of communicating and meet and work have been adopted. The entire humanity has been pushed to technologies and tools that, let’s be honest, not everyone understands or was ready to embrace. For some, it means a lot of monetary gains; for others, it means getting a glimpse of freedom. For others, it’s just another way and reason to gain power, control.

Whatever we do, whatever industry we are in, security and (more specifically) cybersecurity have become a fact, something not part of internet legends or friends-of-friends tales. It must be considered a top priority and an integral part of this global digital transformation journey. Governments, Organisations, Businesses, Individuals: we must learn how to stay safe.

Most organisations know about the need to apportion assets to shield themselves from data security breaches, information leak, extortion, financial loss. They have focused on building up the technical aspects of their IT security strategy by adopting various technology tools and products – unless they are not protected.

Organisations that work exclusively on the conviction that security starts and finishes with many bought security tools are as yet leaving themselves defenceless against dangers and assaults.

Cybersecurity requires addressing elements like organisation, culture, the human factor, and the tools and how those are used in a specific context: people, technology, and processes are the keys to an effective cybersecurity program.

While some businesses are at more danger than others, no one is immune to cyber threats and attacks. Cybercriminals tend to follow the money: the financial services sector, the information and communications technology sector, manufacturing, retail, and healthcare are the top five most attacked industries, as reported in the IBM X-Force Threat Intelligence Index.

However, every organisation has the potential to be under attack. Security strategies and tactics must be comprehensive in their approach and must continually evolve and adapt to prevent dangers in the ever-changing threat landscape.

Any organisation that accepts their online protection needs are secured because they have chosen and received arrangements that they can set-and-overlook are in for a dreadful shock not far off.

Whether or not an organisation has the top specialised security items, programmers can utilise either their closeness or psychology and social engineering to sidestep innovation and use insiders to complete their assaults.

Technology alone is not enough. People and processes are the other variables of the equation.

Organisations that embrace a comprehensive approach to security (and cybersecurity) are all the more promptly ready to effectively anticipate, ease, and remediate assaults than those that don’t. Such an approach combines people, processes, and technology. It involves the technical, however, the human, social, cultural, and management factors that apply to the identification, counteraction, and correction of cybersecurity weaknesses.

Organisations can achieve a stable cybersecurity posture through a combination of multilayered and integrated security solutions, end-user education and awareness supported by processes, security best practices, governance, and a culture of security as a shared responsibility.

Ok, quick notes on technology…

There has been a blast of cybersecurity vendors offering a horde of security products. The interest for viable security tools from trustworthy merchants is unmistakably developing, and there is no rejecting that technology is an indispensable establishment of a solid defence strategy.

In addition to practising good essential security cleanliness, organisations should deploy multiple layers of shielding, and the selected security tools need to be well integrated into the overall security architecture. The technology should be manageable, as a secure environment is visible, understandable, and properly executed.

Merely having the security products and tools provided by trustworthy vendors in place is not enough. Most companies respond to growing cyber threats by buying more security tools, are increasingly finding themselves bewildered. The disadvantage of having many solutions is the need to operate all of them. The more vendors and products a company adopts, the harder it is to optimally execute them, let alone maintain and understand each security layer, its relevance, and its effectiveness.

The technology ought to be incorporated, and various solution arrangements ought to give start to finish cybersecurity to help improve detection, prevention, and response, and to smooth out security activities to stop dangers before they arrive at customers.

… people, …

Individuals make an Organization; therefore, a comprehensive cybersecurity approach must consider human, cultural, social factors.

Regardless of how exceptional and useful security technology tools are, successful deployment and implementation of the technology is impossible without skilled people and support processes within the cybersecurity strategy.

Cybersecurity is a human-driven discipline.

After all, cyberattacks are designed and executed by a person, and most attacks target a person for information. As such, human behaviour is key to closing security holes. People in the organisation can either be the weakest point in the security design or can be pivotal to strengthening the overall cybersecurity posture of the organisation.

An organisation needs:

– competent IT and security professionals: building a robust cyber defence strategy means having a team of well-trained and possibly certified people who are skilled in security technology

– educated employees: all employees should understand basic cyber hygiene practices.

… and processes.

There should be suitable policies and procedures that provide guidance and direction to support appropriate action and informed decision making to help the organisation staff keep information secure. Those also include testing of processes and awareness teaching to establish how efficient they have been, for example, through realistic practice sessions and simulation exercises, or via technical penetration testing.

Policies and guidelines need to be maintained as a living framework to adapt accordingly to conditions and threats, continually changing shape and targets. Of course, this means that systems, policies, processes, and guidelines need to be established, to begin with.

It is nothing but bad having policies and guidelines in place if staff are unaware of them as this lack of awareness exposes businesses to cyberattacks. Unfortunately, most employees appear to be unaware of their organisation’s information security policies and regulations in place.

Pro-security company culture

Cybersecurity is a shared responsibility

Improving user behaviour can reduce and have a culture of shared responsibility business risks. The key to addressing the human aspects of security is cultivating an attentive and security-minded culture, where employees are encouraged to follow guidelines. Management should assert that information security and data privacy is the responsibility of all staff, and the pro-security attitude should come from the top-down, led by example.

Employee education goes far to helping users comprehend likely dangers and their obligations and duties to follow processes and strategies to secure themselves and the company. Organisations that attempt to impart a culture of care (where each employee should report and react to any potential or genuine dangers and attacks) can enormously improve their cybersecurity posture.

* * *

Here I wanted to give a quick introduction to the comprehensive approach to cybersecurity. In the next posts, I will expand on people and culture and include some examples from my real-life experience.