It takes your entire team to build a strong security strategy.
Today’s digital transformation shakes up the norm, as companies adopt next-generation solutions to become more agile, scalable, and customer-centric. And while advanced technologies and processes like automated manufacturing, artificial intelligence, and Internet-enabled 3D printing certainly advance business goals, they also accelerate risk.
The reliance on electronic data and unmanned processes is spawning a new era of hacking, aimed at disrupting sensitive customer and business data. With security now key to business longevity and success, there’s even more reasons why every part of an ICT company should be proactive about cybersecurity.
A recent survey by Gartner (http://www.gartner.com) examines the impact of technology on business strategy, as automation and data analytics become strategic cornerstones to enhance business agility, cut costs, and spark innovation. That survey reports more than 50% of CEOs expect this transformation will directly impact organizational strategies. A majority of CEOs and business leaders additionally rank technology-driven change as the key for business growth.1
In fact, a PwC survey found nearly 60 percent of IT leaders plan to increase security spending as a result of going digital. And it’s not just because data breaches cost millions of dollars, but a strong security strategy also forms a safety net for innovation. CIOs are moving from tech champions to business strategists.2
Cybersecurity is a leading indicator of business success, and the entire organization is responsible for keeping critical business assets safe. It is incumbent upon all business leaders — not just the CSO and CIO — to lead the conversation. As a cornerstone of business sustainability, it’s critical for cybersecurity programs to be backed by company-wide training and support. And management has to align with security teams, determining the right strategies for boosting agility while maintaining security.
ISE magazine asked me to respond to some critical questions about how cybersecurity relates to network transformation, and the professionals who are charged with designing, building and caring for the network. My responses will hopefully make your organization continually ask the hard questions about how cybersecurity can be a driver for your success.
ISE: How do cybersecurity efforts impact others in the areas of C&E, I&M, and the field forces? What additional things do they need to learn? What are they missing?
Bradley: C&E and I&M workforces need to be equally as aware of cybersecurity as any other organization within the enterprise, including security and IT. That’s because both the physical and logical aspects of the network can be vulnerable to disruption of service.
As you build out and maintain your networks, make sure you put in place proper physical security so it’s extremely difficult for unauthorized personnel to access your network assets.
Also, design for redundancy. Have separate power, cabling systems, building entrances, fiber and transport path diversity, etc., to lessen the impact of physical denial-of-service attacks. If you see any damage to equipment or its security protections, report it immediately.
Since suppliers/contractors may have access to your systems, your security department must work with them to ensure they have proper controls in place.
You need to work with your security department to properly vet vendors and the technology placed in the network to ensure all aspects of your network security are tested upfront. This includes all firmware and software, which must meet or exceed your company’s cybersecurity best practices. Firmware and software must be kept up-to-date. For those installing equipment in your network, processes and procedures should be well-defined, understood, and enforced, including who has logical access to your network. Maintaining the security of your network map and the location of all your assets is critical.
At the end of the day, you should think of yourself as part of an ecosystem that supports the customer as well as your organization.
ISE: How is CenturyLink addressing the cybersecurity skills gap across the organization?
Bradley: We’ve made significant changes to our program by further investing in our people, processes, and technology.
It starts with our leadership. We’ve worked with our board to have a deep understanding of what our key assets are and determine the risk posture of the organization. This has enabled us to make sound decisions as to where to invest our resources. Based on that, we have implemented policies, processes, and controls, to match our risk posture.
Education is key to ensuring people are aware of the issues associated with security. Obviously, we have annual training for all employees. But people quickly forget once the training is completed. So, we regularly communicate, via senior leadership, the importance of security. When employees hear the message from their leadership, they are more likely to give the issue the priority it warrants.
One way we’ve been successful in reinforcing the cybersecurity message to employees is through short videos on key topics such as phishing, the importance of locking one’s computer, password security, and how to prevent or respond to workplace violence. These videos have been well received.
We have also enabled our senior leaders throughout the organization to spread security knowledge. They work to guide their teams on acceptable software tools to protect the company’s intellectual property as well as assist with ensuring that security is baked in to the design of the products we develop for our customers.
We’ve invested in a highly skilled workforce with experience working in industry and the government securing global networks, systems, and applications. Our team has experience not only working with technology to assess risks and implement controls to mitigate those risks, but also to proactively detect, respond to, and mitigate threats.
Investing in a culture that embraces cybersecurity, having leadership support, developing internship programs with universities, and educating employees, can help reduce the cybersecurity skills gap.
ISE: What is your boldest prediction about cybersecurity changes in the next 5 years?
Bradley: We are seeing changes in technology such as the Cloud, mobile, IoT, and augmented/virtual reality, that are enabling new ways for individuals and entities to interact with each other. These technologies are driving the exponential growth of bandwidth across the network and opening new threat vectors we haven’t seen before.
The cyberattacks we experience today are very sophisticated and will continue to become more so. And the effects caused by distributed denial of service (DDoS) attacks, ransomware, and data breaches, among others, can have devastating impacts on businesses, governments, and individuals. As we continue to move to Cloud, mobile, and IOT technologies, we are becoming more connected than ever before.
Organizations cannot expect to detect or respond to threats in isolation. We must work across the public and private sectors as well as academia to develop the solutions of tomorrow and share information about the joint threats we face. Information-sharing groups, including those coordinated by industry and government, provide excellent opportunities to learn more about new and emerging threats. We should also work to automate threat-intelligence sharing to more quickly respond to threats.
By working together, we can make the digital world a more secure place.
ISE: What are we NOT talking about related to cybersecurity that we should be addressing?
Bradley: Companies typically have between 5 to 50 vendors that provide their security solutions, and not always in a cohesive fashion. For example, IT decision-makers attending a trade show may hear about the latest solution to guard against ransomware, and then purchase that solution. If the solution ultimately fails to block a future ransomware attack, internal stakeholders will likely seek to assign responsibility for the failure. Suddenly, it’s like working with contractors when building a new house: the carpenter blames the plumber, the plumber blames the electrician, and the electrician blames the carpenter.
Companies should stop depending on that next solution to resolve their security issues. If you compute in an ecosystem, you should build your security in that same ecosystem. Consider the hospital analogy: when you go to the hospital, they assess and prioritize your health issues. And because the hospital has years of experience with all types of health issues, they will refer you to specialists, when appropriate.
Managed security service providers work in much the same way. They have experience evaluating best-of-breed solutions because they have utilized such solutions themselves, and have implemented them with their customers. These providers can also help you consider your risk posture and make sure you implement only solutions that are necessary and cost-effective, while taking into consideration the costs of a potential future breach. In some cases, simple user training, and better processes and procedures, may be all you really need.
Regardless of which provider or which solutions you choose, your company, must be committed to security — from the board level all the way into the field.
1. "Gartner 2016 CEO and Senior Business Executive Survey Shows That Half of CEOs Expect Their Industries to Be Substantially or Unrecognizably Transformed by Digital". Gartner Newsroom. Posted April 20, 2016. http://www.gartner.com/newsroom/id/3287617?=&utm_campaign=security&utm_medium=backlink&utm_source=thinkgig&utm_content=. Retrieved 061817.
2. "Make Security a Priority in Digital Transformation" by Samuel Greengard. CIO INSIGHT. Posted 10-13-2016. http://www.cioinsight.com/blogs/make-security-a-priority-in-digital-transformation.html?=&utm_campaign=security&utm_medium=backlink&utm_source=thinkgig&utm_content=. Retrieved 061817.