View from India: Data is lifeblood of organisation
The future is being created from a fusion of new business models, new technologies and new partnerships. In the changing business environment, where cyber security is becoming a key business enabler, technology is an opportunity and not a threat.
Business is changing, and the fourth industrial revolution is underway. Data has become the lifeblood of the organisation as boards seek to harness the potential of the digital economy, create new customer experiences, transform their services, and drive efficiencies and cost savings. Cyber-security professionals should have the ability to protect the heart of the transformed business with agility of thought and action that recognises the pace and speed at which cyber-criminals operate.
Here are six key cyber considerations that will shape the way we approach security in 2020 and beyond. These include aligning business goals with security needs; digital trust and consumer authentication; the evolving security team; the next wave of regulation; cloud transformation and resilience; and automating the security function.
Align business goals with security needs: Many organisations have spent massively on cyber security, both on tooling and personnel. But today, some feel the need to cut back. The cost of security has become a major focus – perhaps as much as security itself. So, security becomes an end-to-end priority and is aligned with the business for strategic and operational planning.
Engineering approaches such as secure by design and privacy by design need to be implemented. They help introduce security into the daily mindset of the development and operations team as they craft new applications and services. Ultimately, the cyber team needs to be business-led and business-aware.
Digital trust and consumer authentication is crucial: Young consumers are bringing their expectations to their online lives especially in banking and financial services. Bricks and mortar are slowly disappearing; whoever reigns supreme in terms of the digital customer experience is likely to enjoy the greatest market share. In the current environment, the way to offer a better customer experience is to reduce friction. For customers who forget a password, having a PIN (personal identification number) sent to a mobile device via text message that has to be reentered and confirmed, for instance, is friction.
That’s why many companies are leaning towards a machine-learning-based approach to understand their clients’ typical, yet unique, characteristics and behavioural patterns.
Companies should work to connect the data, authentication and fraud teams systematically and programmatically. It is a priority to understand the privacy and data concerns around how, and by whom, your data is going to be used. Going forward, much of it will likely be in the cloud. Think about how to encrypt and protect it.
The evolving security team: The landscape of the cyber-security team remains a collection of technical, operational compliance professionals. Nevertheless, a transformation is underway into a more strategic, forward-looking resource that employs its worldview to impact business dynamics.
Chief information security officers (CISOs) and their teams are working to adjust to the changing dynamics of the business and become a trusted and relevant voice at the strategy table. They are also working to visualise the organisation’s specific operational priorities and partner with internal business heads to incorporate those insights into the company’s cyber-security plan as expeditiously as possible. Satisfying regulatory requirements that are efficient from both time and cost perspectives is essential, particularly in financial services and health care.
In companies that are being transformed digitally, the cyber-security team should look to be involved in these conversations from a strategic perspective and present themselves as the connection between business, digital, and security.
The team should identify the type of data to place on the cloud then understand the interactions that will be required between the development and production environments and accordingly map those expectations within the security plan. Finally, the team should advocate for cyber security to be a prominent feature in the organisation’s environmental, social and governance agenda.
Next wave of regulation: In 2020 and beyond, an increased regulation on a variety of topics from regulators is expected. Rules to comply with certain elements of the General Data Protection Regulation (GDPR) or their own privacy laws have been issued by many countries. Therefore, larger multinational companies have created new, proactive data-management departments.
Essentially, businesses are looking to master data analytics as a discipline. They also want to understand where the data is located across the organisation, who owns it, what’s being done with it, and, perhaps most critically, what rights and permissions users have in relation to that data. Companies are recognising the need for additional investment, not just in tooling and process development, but in terms of increasing cyber talent, from cyber governance and risk strategy to configuration and maintenance.
Companies are encouraged to shift their focus from systems and technology to information; pinpoint what it is that makes you competitive in the market. It could be intellectual property, your supply chain, or your pricing power. Whatever it is, that’s what you need to protect.
Cloud transformation and resilience: Companies need to align the CISO’s functioning with the rest of the enterprise, particularly with reference to the maturation and efficacy of the cloud. To that extent, many of them are becoming a learning organisation. The thing that attracts cloud talent, beyond money, is culture. Prospective employees need to know they’re not walking into a classic, hyper-risk-averse, slow-moving organisation. You can attract strong cloud talent by creating a culture that’s open to innovation and experimentation.
Automating the security function: A broad set of know-your-customer (KYC) data is being gathered and analysed by many sectors including financial services, e-commerce/retail, technology, media and telecommunications, and automotive, among others.
Companies are beginning to realise they are sitting on a treasure trove of data. If better organised and made more efficiently accessible, it can be extracted and analysed for value-added purposes. They are automating functions that, until recently, have been manual, by pulling together historically disparate data sets. This helps confirm that digital customers are who they say they are. They are also acquiring deeper information such as who has a virus on their computer, who recently received a phishing email and who tried to enter a network to which they don’t have access.
Security professionals are combining third-party tools and in-house solutions to automate as much of the overall cyber playbook as possible. This is all in line with an organisation’s business development and customer experience objectives. Companies are looking to automate the first and second lines of defence via the cloud to better respond to threats across the enterprise without human intervention. They also simultaneously confirm that the security controls they expect to have in place are indeed operating as expected.
Organisations in the early stages of maturity in terms of data normalisation may not be equipped to jump straight into insight extraction through AI and machine learning. Such companies are prioritising the use cases they want to address – fraud detection, customer experience enhancements and operational efficiency improvements.
These insights were shared in the KPMG Report ‘All hands on deck: Key cyber security considerations for 2020.’
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.