We live in the digital age, fully documented by social media. We favor speed over security. We lean into frictionless food delivery over financial protection. We want digital contact with the global masses without considering the privacy consequences. What could go wrong?
In 2020, we were pushed head-first into fully embracing the (once glamorized) digital lifestyle through mandated remote work. Organizations that were not previously prepared for this massive technology shift were propelled into adapting to a distributed remote workforce, and with that the world according to “security” shifted. Even IT teams that were prepared for the digital move required focused investments to recalibrate.
Hold ‘em defense
Security was no longer part of the workforce that lived in the IT closet or the data center. Following the shift to remote work, employees were highly visible as the first and last line of defense, but they were not nearly as prepared as necessary. IT teams have been fighting an ever-changing war with a constantly changing battlefield.
Enterprise defense wasn't prepared due to some of the following: a lack of historical consistent escalation of needs and objectives; a lack of discussion around risk; a failure to provide meaningful data on the consequences of underfunding preparedness; and the distinct cost of doing nothing. It wasn’t prepared because the enterprise’s security objectives were not identified as a priority. Security requires investment and was deemed contrary to the sole driver of revenue generation without consideration of the risks in today’s digital environment.
Training, training, and more training
If the majority of the workforce has not been adequately trained in their personal lives to value privacy or the risks and consequences that this new digital depth has resulted in, how can we expect a different result for our businesses? The world has advanced by leaps and bounds, but that evolution has costs.
IT leaders are not only convincing an organization to invest in protecting the digital environment but also are training multiple generations of users on the importance of security and protection.
Cyber criminals are well funded and will exploit any vulnerability. Currently, that vulnerability lies within unknowing and unsuspecting employees. Without adequate training and management of credentials, the organization is ripe for continued digital incidents.
Training is an organizational pulse of security tenants built into an organization's core values. It’s the distribution of responsibility where everyone is accountable for protecting the company’s information and has a vested interest in safeguarding those assets. When the tie to data protection, revenue generation, and assumption of risk are understood, the user community can operate with clarity on why these values are important and how they can be applied.
Don’t be an ostrich
As everyone globally went virtual, so did the perimeter. For all practical purposes, this was the same prior to March 2020, but the risk was way more visible following the massive work from home shift.
Was your identity platform ready for the rapid distribution and certification of credentials and entitlements? It’s likely you weren’t. Don’t feel bad -- but now is not the time to play ostrich.
The longer your head remains in the sand about the security risk to not control credentials and access to the environment, the more that spiral of risk and data loss will spin out of control.
Identity governance of the entire human and non-human population is table stakes. Invest in security tools to protect and monitor. Without knowledge of the entire population, IT teams have no control over who has access to what, which is critical to running successful operations. The likelihood of a breach is nearly 100%. Teams must be ready to rapidly identify, contain, and minimize the damage.
Nobody puts baby in the corner
IT remains the heartbeat of the organization. Management of the digital footprint and distribution of risk is not only critical to daily operations but long-term success.
The organizational prioritization and investment in the areas of cyber defense, identity, and monitoring are the lifeblood of the organization. Without commitment to the continuous improvement and evolution in these areas, organizations will never be prepared to support the rapid evolution of threats poised to exploit the weakness.
If security continues to be an afterthought, vulnerability exploitation will become more pervasive, frequent, visible, and financially damaging to the organization.
A future so bright
As the age of digital continues to advance the mantra of a frictionless exchange, IT teams should evolve the organization’s cyber security and protection tools at a similarly rapid rate.
The best offense is a good defense. Invest in the basics. By training your people, advancing your technology, and your commitment to prioritizing and protecting your most important assets, you can reduce your organization’s risk portfolio and focus on generating the most important asset of all - revenue.
Johanna Baum, CPA, CISA, has over 25 years of advisory experience in IGA, Security, and eGRC. She is the founder and CEO of S3 Consulting focused on providing professional services expertise related to programmatic Cyber initiatives. Johanna is a recognized expert and is an active influencer in the Cyber community. She serves on the Advisory Board for the University of Tennessee, Knoxville Accounting/InfoSys Department, several technology vendor advisory boards, Ambassador/Mentor for SPJ Capital, and a mentor for multiple Entrepreneur and Women in Leadership Organizations.