The security conversation within organisations needs to change

Image: Shutterstock

From speeding up innovation to understanding customers better, digital transformation has emerged as the primary driver of corporate evolution. The International Data Corporation (IDC) estimates that worldwide spending on digital transformation will be nearly $2 trillion by 2022 up from ‘just over $1 trillion this year'.

It is seldom a smooth undertaking though. Reaping business benefits requires fundamental changes to an organisation’s culture, business processes and the very technologies that underpin it.

While digital technology can provide amazing levers of growth, it can also widen the threat landscape. In fact, anxiety surrounding not only spiralling costs (43 percent) but crucially, also security (40 percent) and privacy (37 percent) are the key adoption barriers for business decision makers when it comes to artificial intelligence (AI) and internet of things (IoT), according to the Cycle of Progress survey by Tata Communications.

Even as Indian enterprises have been consumed by putting up an additional cyber-defences, attackers and threat vectors are evolving rapidly as well. For example, as organisations rapidly adopt cloud delivery models, software-defined networking, IoT, analytics, blockchain and open application program interfaces (APIs), they concurrently require a more systematic and proactive approach to addressing security threats and managing compliance requirements.

Indian organisations have also been guarding their information assets through a myriad of point solutions, which are clearly inadequate, since threat vectors have evolved to take advantage of the legacy security solutions in place. The degree of difficulty rises when business units begin consuming technology, like cloud services, without any IT intervention—the IT team will have little visibility into systems that do not show up on its radar.

For most organisations, security is neither seen as a revenue generator nor as a business enabler. A direct consequence is that business processes and the IT that enables them mature faster, and thus their security cover is in a perpetual scramble to catch up. As a result, for most technology initiatives, security is often the last thing to get bolted on.

A rash of incidents over the past few weeks helps illustrate this:

March 1: Over 2 million identity records on government officials and politicians from every country in the world leaked from a Dow Jones watchlist

March 21: Facebook admits that it has not properly secured the passwords of as many as 600 million users

April 15: IT outsourcing giant Wipro begins investigating reports that its IT systems are being used to launch attacks against some of its customers

Malware, hackers, botnets—over the past months, the media has focused on the surge in security incidents that have had an adverse legal, financial and reputational impact on Indian enterprises.

Despite this growth in awareness, IDC estimates that 93 per cent of Indian organisations have just basic cybersecurity protection in place.

So, on one hand, enterprises realise that they need to harden their resilience to threats, and on the other, they need to do so by facing the realities of user expectations, shorter business cycles, legacy environments, managing multiple technology providers and internal skills gaps.

The security conversation within organisations clearly needs to change. It's rather unfortunate that fear has been the traditional basis of accessing security investments. It also, possibly, reflects a legacy mindset at work in organisations. Today's threats and tomorrow's challenges can’t be dealt with by brandishing fear, they need a risk-mitigation approach to get business buy-in.

IDC has also identified the acute shortage of cybersecurity professionals and ineffective security sourcing among the top 4 vulnerabilities of Indian enterprises on their digital journeys. To emerge from chaos to order will require leveraging intelligence, technology and talent in equal measure to devise appropriate yet agile response mechanisms.

From skilling to keeping pace with threat vectors by using emerging technologies such as machine learning and analytics, to even enhancing resilience, is a challenging journey for an organisation to undertake on its own. As the velocity, variance and sophistication of cybersecurity attacks intensifies, organisations need to partner with specialist security service providers with demonstrable capability for innovation and the use of emerging technologies.

The goal should be to not only reduce the probability of an attack, but also to switch the focus to risk-mitigation and quick remediation. Making the CEO and the Board aware of the many fast-evolving threats by highlighting the invaluable role of security controls in minimising business risk is part of the process. A shared ownership of risk with business stakeholders and forging the right technology partnerships will enable organisations unlock the full potential of the latest digital technologies—and pave the way for total business transformation.

The author is Chief Sales & Marketing Officer at Tata Communications.

The thoughts and opinions shared here are of the author.