Cybersecurity is a business problem
Cybersecurity is certainly a hype word in the press at the moment. Security professionals and CSOs that are longer in the tooth are saying, "move along, nothing new here" - are they right? To answer this, we need to take into account that we have always had a sliding scale, with security at one end and usability at the other. Remember the old adage that the most secure computer is the one buried in a box, encased in concrete.
The trouble is, users are like rivers - they will find the easiest way down the hill. If security mechanisms are too taxing, users will look for ways round them - or indeed stop using the systems altogether, for example by storing information locally rather than trying to access unusably secure corporate systems.
The shifts we are seeing today are largely driven by the increasing speed and complexity of technological change. Not that long ago, organisations were looking to protect computers, systems and databases that were designed to last years, if not decades. Many of the capabilities we see as mainstream today didn't even exist three years ago, however.
Just as technology continues to fragment, so are information-related attacks on citizens and institutions increasing in complexity. Whereas security used to be relatively linear - protecting a known set of systems against direct attack - the types of threat have multiplied. Threats are becoming so diverse and numerous, the overall effect is that the aggregated risk (the cyber-risk) finds whichever way it can through the barriers in place.
This transition is taking us from information security - treating individual systems and the corporate IT environment - to cybersecurity. While 'infosec' was an IT problem, cybersecurity is a problem for individuals, for businesses, and indeed for governments as it has become the fifth domain for warfare. The problems are bigger, they happen faster and their impact can be far worse.
As a result, we need to move from information protection to cyber resilience, readiness and response. At Symantec for example, we have a readiness and response team which fills the gap between analysing potential threats and engaging directly with what is happening at customer sites. This way, as we correlate events and detect potential new threats, we can prioritise and respond accordingly.
Customers are also evolving from a purely infrastructure-centric view, to one which looks at what people are doing and how business activities can be protected. The sliding scale is subordinate to ensuring the business can continue to operate, that information is still available and accessible, that people can be productive even as data is protected.
Ultimately, the user experience is paramount. By recognising this, organisations can look at what they are trying to achieve as a business and ensure it happens securely, rather than implementing security controls that are targeted more at systems than at business priorities.