The 17th e-Crime & Cybersecurity Germany 2021 Virtual
At AKJ’s last DACH event, attendees were asked what had changed most about cybersecurity in the past five years. One of the commonest responses was that while threats have become more frequent and complex, and cybersecurity itself has entered mainstream awareness, neither business heads nor more senior management are operating with a security-first mentality.
And this is creating real problems: responses in our research suggest that organisations are unwilling or unable to make the kind of large-scale operational changes required for a truly mature security culture.
Most obviously, digitalisation has become a matter of business survival. So, the priority has been speed of roll-out, not building-in security or establishing better procedures for including security teams in digital business projects, many of which are outsourced to third-party providers. The business, not security, has the upper hand in this response to the pandemic.
Within digitalisation, that reliance on third-parties for an increasing proportion of business-critical infrastructure is also a security risk. We didn’t need the SolarWinds hack to tell us about third-party risk, but it was a timely reminder of how fundamental it is.
This business-first approach reflects, according to our research, a continued view at senior management levels that security is just ‘a necessary expenditure’, a tax on the business, to be minimised where possible. CISOs still have to work hard to show the Board why security is not unnecessary friction but an enabler.
Even where the Board is on board, the broader problem of security culture remains: if short-term business goals trump security, if tick-box compliance on data privacy gets budget but real security does not, then not only do businesses face increasing risk in new technologies upon which they now depend, they also face an uphill struggle to build the top-down security culture every business needs in the longer term.
And while businesses incur ever more technical debt in solving business and security problems piecemeal, cybercriminals are operating with increased organisation and sophistication.
Left unchanged, this divergence, between what businesses are prepared to commit to cybersecurity and what bad actors are prepared to invest in terms of time and resources, threatens the sustainability of many digitalisation business models.