Once upon a time, IT security was a problem purely for the IT department. The attitude still persists in many quarters; one major surveyfound that nearly a third of UK boardrooms, across multiple industries, still felt that cybersecurity belonged in the IT department, rather than at the senior management’s table.
This attitude, however, is not only short-sighted – it is also extremely risky.
Security problems are business problems
For a start, it’s important to recognise that when an organisation’s IT security suffers problems, the business as a whole tends to suffer problems too – sometimes very significant ones. Many IT security incidents, whether the result of targeted malicious activity or simpler digital vandalism, have an effect on business operations. These effects can be relatively minor, causing staff to waste time filtering and deleting spam emails, for example, or slowing down the performance of a handful of machines. Or they can be truly enormous – witness ransomware attacks scrambling the contents of entire business databases or taking every computer in an organisation offline.
These latter examples have a very clear impact on business operations, slowing down or halting day-to-day processes and sometimes very directly preventing the organisation from selling products or services. However, it is important not to overlook the business impacts of even small cyber incidents. Spam can cause staff to miss legitimate, important emails. A DDoS attack which slows the company website for an hour or two can lead to disgruntled discussions on social media. And in a world in which news of even a minor cyber incident – and a lacklustre corporate response to it – can be widely disseminated extremely quickly, there is a very clear link between IT security and the reputation of the organisation.
The IoT exacerbation
Furthermore, the current explosive growth in the Internet of Things (IoT) means that the scope of IT security in typical organisations is exploding too. Cisco has predicted that the total number of IoT devices worldwide will be more than 50 billion by 2020. Another way of looking at that is that by 2020 there will be more than 50 billion potential targets for malicious cybercriminals, many of which will be connected to enterprise IT networks. Additionally, those devices will be creating vast swathes of data – again, much of which will be valuable enterprise information. The hunting ground for cybercriminals is, in summary, getting much, much richer.
Bringing IT security to the boardroom
No matter what sector they operate in, then, it is vital for forward-thinking organisations to bring IT security into the boardroom, and to create clear lines of communication between the security function and all other aspects of the business.
There are various challenges associated with this process, in particular the prospect of ‘translating’ security risks and threats, proposed investments and processes, from purely technical language into information which is contextualised in terms of the wider business. Whilst some IT security personnel are able to do this fluently by themselves, it is often useful to be able to draw on direct business intelligence, presented in a clear, visual format
Ultimately, the senior management in today’s organisations needs to understand that IT security can no longer be shut away in an ‘IT Crowd’ style basement, left to quietly keep things ticking over. IT security incidents can have a severe impact on all aspect of the business, which means that preventing them and responding to them needs to be built into overall business management and forecasting.