However, many companies see cybersecurity as a dark hole into which money is thrown without yielding any tangible benefits, thus reviewing its implementation as separate to the business objectives.
Alternatively, they believe that implementing security applications, tools and services will mitigate all cyber risk exposure. This constricted view can lead to disappointment, as data compromises can still happen despite tools, solutions and services meant to defend, protect and secure these enterprises.
What is required is a balance between these views, as misalignment to business objectives can either result in overprotecting IT assets, leading to waste of resources, or under-protecting these assets, exposing the organisation to cyber threats and vulnerabilities.
Cybersecurity is one of the key pillars in enterprise risk management, which comprises of governance, risk management, compliance and security. This quadrant guides the cybersecurity in organisations and for it to succeed, the organisation’s strategic planning must guide it.
Cybersecurity begins at the ‘software factory’, thus underlining the need to select reputable service providers at the base stage. It then moves to ‘information security’; the responsibility of senior management and key business stakeholders; if the organisation is to be competitive, remain profitable and continue to innovate.
Digital ecosystems have evolved, and IT systems continue to come with new challenges, as respective technologies change both software and hardware. The adoption of cloud services, IoT (Internet of Things) and IoX (Internet of anything), portable and mobile computing is now the norm.
Soon, virtual reality, artificial intelligence, neurological systems, high-speed data and collaboration could be the next norm, and this underlines the ever-evolving technologies that cybersecurity must be integrated into.
Cybersecurity strategies are not a plug and play system; they have to be supported by continual improvement processes and initiatives in cybersecurity and must be continually updated, maintained and improved.
One way to select the appropriate selection of cybersecurity solutions is to align the cybersecurity strategy with the appropriate cybersecurity and governance framework that is aligned to the activities of the business.
In South Africa, frameworks such as NIST, COBIT, King IV may be used to comply with privacy regulations such as POPIA, GDPR and the incoming Cybersecurity Bill. For the banking sector, organisations will have to adopt PCI DSS and other financial institution frameworks such as Sarbanes and Oxley.
These frameworks provide a structured process and guidelines to develop an appropriate cybersecurity strategy for organisations. However, it should be noted that these frameworks are not prescriptive, as organisations are different, but rather provide a reference framework that can be followed to create a cybersecurity strategy.
Cybersecurity is hinged on the organisation’s risk appetite and tolerance. If the risk tolerance is high, an organisation will not pursue cybersecurity as a core business process, whereas if the tolerance is low, the organisation will ensure that cybersecurity is a critical process in ensuring business success. For an example, a bank or financial services provider will consider cybersecurity in as much as it considers physical security for its organisation.
Cybersecurity should not be a separate business process, where cybersecurity counters the business strategies; it must be integrated into the business as a whole. This business perspective allows organisations to understand their risk appetite, tolerance, financial constraints and other constraints that will help guide cybersecurity initiatives.
Failure to integrate often leads to failure of systems.
A good example is British Airways, which experienced customer data theft, following its implementation of an outsourced model for its cybersecurity. This divorce of activities between business and cyber activities led to a cyber breach.
In South Africa, another example is the Liberty data breach incident, where personal data was compromised. This would have been managed had it ensured compliance with POPIA and GDPR regulations, by using well-known cybersecurity frameworks on managing personal identifiable information, such as encrypting such data at rest and in transit.
For cybersecurity to be successful in an organisation, every employee in the organisation must adopt it, with senior management leading by example. The rise in ‘bring your own device’ (BYOD) increases the risk to cyber breach and therefore from HR on-boarding, employees must be made aware of the cybersecurity protocols and the company’s practices.
Methods to encourage compliance range from mandatory cybersecurity policies, cyber awareness campaigns, mandatory training or gamification; all initiatives that can be done to ensure everyone is taking part in cybersecurity initiatives.
Successful implementation of cybersecurity follows a structured process. It must be multi-layered, designed and implemented to follow an in-depth defence methodology. This involves layering cybersecurity resources, assets, technologies, services and solutions by including people, technology, secure software, security solutions, logical and physical security.
