As technology continues to evolve, businesses are seeing both the upsides and pitfalls of advancements like the cloud.
On the one hand, cloud environments have enabled companies to expand their footprints and allow employees to permanently telecommute. In fact, Gartner estimates that around half of all knowledge workers will rarely step foot in a traditional office for the foreseeable future. On the other hand, the virtual aspect of the internet, the cloud, and widespread digitization have opened up organizations to serious corporate security risks.
To get a better understanding of the biggest security concerns facing leaders and brands today, I sat down with Ostendio’s Grant Elliott. As the security and risk management platform’s CEO, co-founder, and chairman, Elliott keeps an eye on the emerging threats that keep business owners and CISOs up at night.
Serenity Gibbons: Let’s start by talking about the most critical risks you’re seeing right now. What’s your top pick?
Grant Elliott: The number one threat faced by businesses is the growing inability to understand where their data is stored and who has access to it. The challenge for organizations today is how to ensure only those required, with legitimate rights, can access and use that data.
Gibbons: That’s scary, given that Beta News reporting estimates about one-third of all hacking incidents can be linked to “inside jobs.”
Elliott: Yes. Failure to identify and manage access to data has led to a rise in both the number of data breaches each year and the related financial and reputational cost to an organization. According to a recent Ponemon/IBM report, the average cost of a data breach is $4.2m, the highest average total cost in the 17-year history of the report.
Gibbons: Okay. What gets your vote for the second biggest type of security threat that needs to be taken seriously?
Elliott: Complacency. When organizations are complacent and take shortcuts to managing risk, security, and compliance, they put their business, employees, and customers at risk.
Gibbons: So an auto-piloted, “set it and forget it” system isn’t feasible?
Elliott: It isn’t. There is no automated shortcut to run an effective security program.
We’ve met with many organizations, who have since become customers, that have either tried to manage the process through spreadsheets or held the belief that an “automated” system could adequately protect their data, only to fail a security audit and put their organization at further risk.
To be successful, businesses must get boardroom buy-in to invest in building robust integrated risk management and data security programs that can be verified by an external auditor.
Gibbons: I’m guessing that a lot of organizations know about these threats and try to thwart them. Why aren’t they gaining traction?
Elliott: To manage threats, organizations often focus on their production data stored in a cloud environment such as AWS or Azure and fail to recognize that their data might be free-flowing across their organization. Without clear governance and mechanisms to enforce data security, sensitive data can find itself duplicated in all sorts of places providing potential attacks with a multitude of access points.
Gibbons: What’s your best advice for CISOs tasked with trying to make sense of everything?
Elliott: Communicate with your executive team and board of directors. It is important that the modern CISO communicates risk management effectively to ensure corporate buy-in at the highest level of the organization.
Only effective risk management communication will allow the modern-day CISO to ensure they have a sufficient security budget and executive buy-in to drive operational security throughout the extended organization and reduce overall organizational security risk.
Gibbons: Good points. How about a year or two down the road, though? We know that more threats are bound to arise. Are there any pragmatic ways that CISOs can future-proof their corporate systems against today’s and tomorrow’s risks?
Elliott: Businesses should start by managing and tracking all assets at a holistic level. Not just an asset’s attributes but criticality, risk, and accessibility. It is also essential to understand integration points because of the increased use of APIs. When a single asset is breached we need to understand if that might give back-door access to other assets.
Organizations should also be implementing their security and risk management program in line with an industry-acceptable security standard and ensure compliance by having it audited by a credible and independent third-party auditor to prevent confirmation bias. When sitting for an exam, you don’t get to grade it too.
Gibbons: I’d like to end on a hopeful note. Can you share three positive trends in the risk and security world that you expect to see in the coming five years?
Elliott: Sure. Number one, there are an increasing number of tools available to help organizations protect their data. Organizations will use these tools to help build and operate security and risk management programs at a holistic level. While some automation in these tools may prove helpful, the reality is that people and systems are complex and most controls will continue to be procedural.
The GRC (Governance, Risk, and Compliance) tools of the future will be fully aligned with the core operational tasks of the organization, ensuring that all actions and activities are managed and tracked and that all employee operations work as a matter of process to protect information and provide on-demand evidence for independent verification.
Number two, there will be an increase in demand for security audits and certifications such as SOC 2, FedRAMP, and ISO or to obtain security certifications such as HITRUST. Gartner predicts 60% of organizations will use cybersecurity risk as a “determinant” in third-party transactions and business engagements by 2025. This helps organizations know how to set realistic goals, and build an appropriate and effective security program.
Gibbons: What’s your third expectation?
Elliott: Organizations that have adopted a fully remote workforce will start treating their employees as the first line of defense, rather than as a threat. Employees will become more involved in the security operation and will be measured and rewarded based on this participation. Expectations will be made clearer via more effective process and procedure documentation; More frequent and more targeted training, involvement in security drills such as Business Continuity Plan/Disaster Recovery exercises and clear communication from management around risk management.
We will also see an increased demand for asset management, tracking all data points and who has access, particularly as employees, join, leave or change roles. We call this building a “culture of security” where all employees are involved and trained in how to handle data properly.