Gartner says paradigm shift in thinking needed for investment in cybersecurity
Flip the newspaper open or turn on your news aggregation app and you’ll be inundated with a grim list of people, organisations, and yes, even nation states assailed by hackers and cybersecurity incursions aplenty. Stories abound of the aftermath of their handiwork – stolen data, leaked information or worse. Rather than doing it just for kicks, hackers are now doing it for the money with a rise in ransomware in recent years. To date, successful hacks have ranged from leaking classified information all the way to the digital equivalent of bank heists. Looming on the horizon is the chilling prospect of attacks to critical infrastructure such as power grids, oil pipelines or worse. In one recent case, hackers held a hospital and its critical IT systems to ransom such as the recent attack on NHS hospitals in England.
To counter that, many organisations have adopted the mindset of throwing money at the cybersecurity problem in the hope that sufficiently large amounts of it will result in an impregnable digital Fort Knox for their businesses and online endeavours. “Cybersecurity is traditionally treated as a technical problem,” said Paul E. Proctor, Vice President, Distinguished Analyst at Gartner.”This usually works out to tossing money at the IT department and telling them to ‘protect us’.”
Unfortunately, where there’s a will, there’s a way. “These days, you can’t keep the bad guys out,” said Paul, “If we can’t keep them out, it does not make any sense putting all our money trying to stop them,” added Paul. According to Gartner, Malaysian businesses are set to increase their IT spending by a 8% from 2016 to reach a princely MYR 71.7 billion this year.
Paul said,“Businesses have been investing almost exclusively in protection technologies for the past 15 or 20 years. We have to take a step back and ask how do we address the problem appropriately.” According to Paul, cybersecurity has to be treated not as a technical problem to be solved but as a risk to be appropriately managed. In that regard, not all companies were fully prepared to address a potential cybersecurity problem or the demands of a sufficiently robust cybersecurity programme for their organisation.
Rethinking Cybersecurity
Effective cybersecurity requires a fundamental change in mindset. “We are trying to battle checkbox thinking. Simply running and ticking off a list of things to do and invest in won’t help you that much to address the threat.” Systems in an organisation need to protected based on their importance and the potential risk of being hacked. If every system in an organisation was protected equally, the cost would be astronomical, hence the need to adopt risk based thinking.
“If we treat all systems equally it would get very expensive. Prioritisation is required. We need to patch them in terms of priority. Risk based thinking is setting your investments properly and this is done against the business processes and outcomes intended by the organisation.” said Paul.
[perfectpullquote align=”left” cite=”” link=”” color=”” class=”” size=”14″]”There is no such thing as perfect protection and the purpose of a security programme is not to protect the organisation. That is impossible. The purpose is to create a set of controls that balance the needs to protect versus the needs to run the business.” Paul E. Proctor, Vice President, Distinguished Analyst at Gartner[/perfectpullquote]
With that being said, It’s not technological limitations that bring about shortfalls and breaches in security though. In many organisations, it’s often a failure in decision making. Paul gave a clear example with the Target store chain hack in the US. The exact nature of events that transpired is speculation but hackers had presumably gotten into their secure systems by compromising their heating and cooling systems. “More and more things are being connected to the Internet of Things. There are benefits to such connectivity but when hackers infiltrated them to get to their POS systems, it’s not a failure of technology but a failure of decision making.” He speculated further if the person who signed the procurement order for the heating and cooling systems in Target actually referred to the IT people before doing so, subsequently leading to the breach and loss of data.
Proctor added that currently most organisations who invest in cybersecurity don’t even know their investment mix. Currently, most invest a mere 30% in detection and response with the majority in traditional prevention technologies. He added that by 2020, spending in major organisations should go up to 60% in detection and response. Ultimately, there is no such thing as perfect protection and more investment for cybersecurity is not always commensurate with better protection. ”There is no such thing as perfect protection and the purpose of a security programme is not to protect the organisation. That is impossible. The purpose is to create a set of controls that balance the needs to protect versus the needs to run the business.”