Get the insights and action you need to improve your security posture.Read more
Every year, Dimension Data publishes an Executive Guide to the annual NTT Security Global Threat Intelligence Report. We call out key findings and the most significant shifts we’ve observed in the cybersecurity landscape over the past 12 months. These are complemented by recommendations on how organisations can bolster their defences against emerging threats.
Our Cybersecurity Advisory ─ where we engage with clients to conduct in-depth cybersecurity maturity assessments, through the lens of their business priorities ─ is an important new contributor to this year’s Guide.
One of the most conspicuous issues highlighted in this year’s Guide is that 2018 marked a record for the number of new vulnerabilities discovered in a calendar year – up 12.5% from last year.
While the threat landscape will continue to evolve, and the emergence of new, more sophisticated vulnerabilities and attack vectors is inevitable, I don’t believe it’s all ‘doom and gloom’. In fact, I’m extremely optimistic and excited about the future of the fight against cybercrime, for three key reasons:
The notion of moving from reactive to predictive security has been around for years. However, I foresee unprecedented innovations in this field in the immediate future. Substantial progress is already being made. For example, NTT, as a leading global carrier, has significant visibility of the world’s Internet traffic. We overlay the data and insights we’ve collected with the capabilities of the NTT Security Global Threat Intelligence Centre, where our experts work around the clock to analyse and synthesise the vast amounts of threat information we collect, at the most granular level. This gives structure and context to information and turns it into intelligence
We’re observing a positive trend this year, with businesses moving away from making piecemeal investments in traditional security hardware, and instead moving towards more business-aligned, strategic buying decisions. This is evidenced by the fact that while the finance and technology sectors were the most attacked this year (each representing 17% of all attacks and featuring in the top five targeted sectors in every region), they’re also the most cybermature.
I’ve heard many people in our industry claim that ‘today, cybersecurity is your point of access to the board.’ They believe that talk of cybersecurity alone will gain the board’s attention and they’ll typically centre their approach on instilling fear, uncertainty, and doubt, i.e.: ‘These are all the threats out there. Look at our graphs that prove it; this is what you’re doing wrong … but, don’t worry, you can protect yourself if you invest USD 300 million in these new cybersecurity technologies.’
I disagree with this approach, as it fundamentally lacks any form of business-alignment.
To gain the attention of the board, you need experienced professionals who thoroughly understand the current threat landscape and the latest cybersecurity technologies, but also are willing and able to have business-related discussions.
In my experience, gaining successful access to the board ─ and being invited back for further conversations ─ is achieved by those who’re willing to first engage with their clients in an advisory capacity. They focus initially on establishing a deep understanding of the organisation’s overarching business objectives, and subsequently present cybersecurity advice and investment options that are aligned to those goals.
For example, among the many applications an organisation has, one might be an HR tool that simply tracks the number of employees in the company, per region or country, but contains no personal or financial details about any individuals. It’s just a convenient tool for an HR team within a global organisation to utilise. However, another application might generate over USD 6 billion a year in revenue for the company, and contain a host of transaction details, and customers’ names and credentials. Such an application obviously needs to be far more secure than the HR one.
Security professionals and providers who work with clients to give them advice regarding their current and ideal security posture are the ones who’ll be taken seriously. In the example above, the most sensible advice would be to say: ‘It’s going to cost you USD 300 million to secure your entire enterprise for a period of time (but not forever), but if you prioritise, and focus on elements of your core business ─ such as the application that’s generating significant revenue ─ you’ll need only invest USD 5 million to guarantee its security, and you’ll also be able to use it more prolifically. And we can remove your HR application from the scope of this engagement, as the requirement for it to be secured, is negligible.’
Only when you start to understand and measure a company’s most critical priorities, and demonstrate how you can add value to and secure the associated infrastructure, will you be perceived as a trusted partner.
Over the last year, our Cybersecurity Advisory teams’ engagements with clients uncovered the following:
However, I don’t believe these findings should leave us despondent. Levels and gaps in organisations’ current and desired cybermaturity levels aren’t where we should focus. There are several encouraging takeouts to consider, for example:
The third area where I see encouraging progress is in the level of collaboration and information-sharing among organisations across the cybersecurity value chain.
From research and development organisations, suppliers of security products and services, and in-house IT professionals, to boards, regulatory bodies, and governments, we need to create a united front to ‘fight the good fight’ and (from a business perspective), where necessary, leave any competitive inclinations ‘at the door’.
Cybersecurity affects every one of us in some way, in both our professional and personal capacities. Ultimately, the success of our battle against this scourge hinges on how effectively we co-operate and collaborate.
So, together, let’s start pushing the boundaries of what’s possible.