Three key investments can help your organization prepare against cyber threats.
When cyber criminals pierce a company’s IT defenses, organizations are often quick to blame a security loophole and promise a patch to assuage user concerns. But the proliferation of these often-devastating hacks shows that there’s something much larger at play: The way companies handle security needs to undergo a revolution.
The Open Network Users Group (ONUG), an IT community I cofounded, brings together IT business leaders from the Forbes Global 2000 to discuss security challenges, exchange ideas, and share best practices. Through these discussions, we’ve found consistently that far too many businesses still treat security as an afterthought. The business gets excited about a new application it wishes to implement, then it turns to the security team at the end to have IT “sign off” and prepare whatever may be necessary to make it secure.
Security isn’t icing on top of a cake. It needs to be baked in from the start. And the team you currently have is, quite possibly, not the right one to do this.
The Evolution of IT Security
In order to build out the most effective cybersecurity processes in your organization, it’s important to understand how IT teams have evolved.
Companies went through dramatic changes in the 1990s. They developed new uses for technology, both internally in daily operations (email systems, customer resource management, human resource management) and externally for customers and the public (websites, sales apparatus). In general, these needs were handled by purchasing IT from vendors such as Cisco, IBM, Dell, Hewlett-Packard, and others. These vendors would provide tailor-made technology for each business to meet its specific needs. Thus, the security systems companies needed were vendor-specific based on each piece of technology.
Inside businesses, people with expertise on each vendor dealt directly with the vendor on behalf of the company. This was true for everything, including security. An employee who knew the ins and outs of how a specific vendor handled security was responsible for overseeing it.
As a result, IT personnel developed into separate silos within an organization. IT teams became virtually stand-alone entities. They rarely interacted with other silos or with the rest of the company.
The New Cybersecurity
Today, the rise of cloud computing is changing the IT landscape significantly. Companies are no longer building their IT operations around mountains of infrastructure tailor-made for them by vendors. Instead, they’re switching to cloud computing — shedding old, in-house technology and connecting to less expensive services that get more done in less time.
With a company’s crucial data and operations moving to the cloud, the fundamental elements that it takes to design IT security are entirely different. It’s no longer about protecting unique infrastructure inside your company. It’s no longer about vendors. Now, it’s about making sure that all the information that travels back and forth between your company, your customers, and the proverbial cloud (servers somewhere in the world), stays protected every step of the way.
Along with this come new threats: Rogue nations, cyber terrorists, identity thieves, and other hackers are constantly developing new ways to get between your organization and the cloud. It takes nimble, creative, collaborative teams of IT personnel with a broad range of knowledge to fend off these new threats.
To make this happen, organizations should invest in three major areas:
1. Hiring for in-demand security skill sets. Businesses should hire workers who understand how cloud computing and edge computing work and have a clear vision of where these technologies are headed. These experts must be vendor-agnostic and independent, with broad knowledge of the disparate elements necessary for any IT defenses. They should also be skilled in working collaboratively in teams and using creative thinking. If they’ve spent their careers in siloes and only have vendor-specific knowledge under the old paradigm, they’re probably not right for you.
2. Structuring teams for modern security needs. Organizations should build diverse, cross-functional IT teams in which people with different fields of expertise work together to create integrated solutions. Successful organizations are becoming more horizontal: Rather than being based on hierarchical structures, they bring together people with deep understanding of various parts of the IT stack. These flatter structures have been shown to help transform interactions, so that rather than focusing on acquiescence to higher-ups, employees can feel free to discuss solutions openly.
Some of these changes can also be helped by physical redesign of workspaces, so that people focused on security, networking, applications, and more can physically interact throughout the day. Or if they’re not in the same building, managers should follow research on how to create “a sense of community and cooperation among distributed teams.”
3. Adopting a security culture. Perhaps most important is changing the culture of the business so that collaboration and team building are encouraged and rewarded. No matter what structures are changed, collaboration won’t take root without encouragement.
This change is part of a broader transformation that companies need to undergo in general. As a white paper from the Kenan-Flagler Business School at the University of North Carolina found, “Unfortunately, many senior leaders view collaboration as a skill that is best applied on selected projects, rather than as an organization-wide cultural value that should be embedded in the company’s fabric.”
Read Related Articles
Cyber criminals collaborate to share ideas and increase their chances of success. To beat them, IT teams must do the same.
It isn’t easy. Just like technology, businesses themselves are changing at a rapid pace. There’s no simple blueprint for how this is done. But organizations that work to make IT security an integral — and integrated — part of daily business operations will be much better equipped to face the threats of the digital future.