“If you spend more on coffee than on IT security, you will be hacked.”
That was according to Richard Clarke, former special advisor on cybersecurity to the US President. He added, “What’s more, you deserve to be hacked,” which does seem a little harsh. Maybe times are changing, but one thing hasn’t changed: the fact that cybersecurity still isn’t being taken as seriously as it should, at least in some quarters, and in many organisations isn’t allocated the budget it deserves.
Which is curious because, increasingly, high levels of data security and validated cyber resilience can be seen as providing the organisation with a distinctive competitive advantage. And this isn’t marketing blah: it’s what I’m hearing from our forward-looking clients, and it’s what keeps my teams and I so busy.
We’ve heard that you can change your competitive advantage, that DevOps would provide the new value we needed, about opportunities presented by AIOps, and that data products and DataOps are now the way forward. But none of this is worth much if our security is lacking. You can indeed change your competitive advantage, but only if that change is backed by serious firepower in terms of cyber security and cyber resilience.
If we don’t secure our infrastructure, enterprise and mainframe, that “competitive advantage” is not worth a hill of beans.
The world is constantly changing, with new technologies and opportunities for cyber crime, new threat vectors emerging, new spins on malware and ransomware. Security is a business issues, not an IT issue.
This new world means we have to be constantly on our guard: testing and assessing, checking and validating, auditing our security posture, pen testing to understand flaws and the vulnerabilities, and working towards a zero trust stance.
One of the reasons we don’t hear so much about mainframe breaches, and certainly the more serious ones, is that nobody talks about it. But I see those security gaps and vulnerabilities everyday in my professional practice. (A couple of years ago, Twitter saw a rash of parody posts in response to infosec advice and in particular the hashtag #cisotips—one of which read, ‘A vulnerability in your product is only critical if it’s covered by the media. Refrain from publishing any details to keep severity low.’)
And the threat can, of course, be internal and external. You may have heard about the major South African bank that experienced a host master key breach, with reports that “several rogue employees managed to steal it, decrypt it, and print the key on paper.” The attackers used the master key to access bank accounts directly, making more than 25,000 fraudulent transactions. It was reported that the stolen master key “protected all the other cryptographic keys. Therefore, the attackers could access all the ATM pins, home banking access codes, customer data, and credit cards inside the mainframe architecture.” Just imagine it.
This is what we’re up against. We have to be ready—to take action now, or otherwise risk an unwanted appearance on the front page. But this needn’t be a negative: you can make security your competitive advantage.
Being kind, probably 25% of the organisations that I engage with are doing security properly at that point. In reality, I’d guesstimate that 85% of organisations are failing to tackle security properly. And part of the problem is they may think they are.
I’ll leave you with another quotation, one that boils down the “what we need to do” into five words. It’s from Stéphane Nappo, Global CISO of Groupe SEB, formerly with Société Générale, an IFSEC Global Security Executive Influencer 2021, and named 2018 Global CISO of the Year:
“The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: cybersecurity is much more than an IT topic.”
Is it time to get on the front foot? To improve your security stance and do continual testing on the basis that prevention is far better than cure – far better than loss and recovery? In other words, making security your competitive advantage.