Complex Made Simple

Company senior officials urged to toughen cyber security measures

"The consequences of those breaches are too severe, and in some cases, too public, to be ignored"


Gregory Garnier is a partner with Bain & Company in the Middle East and an expert with Bain’s Global Information Technology practice

If there’s a positive effect from the recent rash of high-profile security breaches it’s that senior management, along with the board of directors and other officials, can no longer just pass ownership of data security to their respective CIOs and hope that the issues will go away. The consequences of those breaches are too severe, and in some cases, too public, to be ignored.

In addition, simply investing more money into more security software, hardware and other solutions is not likely to be the quick fix that companies expect. Despite billions invested to strengthen cyber security there’s always a major security breach happening every week. The increasing number of attacks and breaches should act as a wake-up call for CEO’s and corporate leaders to take a more serious and more strategic approach to dealing with this problem. Because the consequences of failure can ruin a business, data security has emerged as a primary concern for any company. The fact is, any organization may be only a few steps away from being breached. What’s required is a plan of action that is based on reinforced communication ties between a company’s business side and its IT side—the former because it understands the relative value of different digital assets and the latter because it makes investment decisions on how to protect them.

Over the last few years, and in our experience working closely with some of the world’s leading enterprises, we’ve seen too many companies take the wrong approach, failing to align their IT security capabilities with their larger goals and appetite for risk. Business and IT don’t share their views on what they think are emerging threats or the relative importance of their digital assets. As such, there often is a disconnect between an organization’s risk management efforts and its cyber security measures. More often than not, these companies are inconsistent in their approaches to planning, operations and funding.

This disconnect comes at a critical time. Companies today have more digital assets than ever, which include customer and transaction information and proprietary assets such as source code, business processes and data. At the same time, with the emergence of the cloud, companies are now shifting to hybrid cloud architectures and software services. IT departments of these companies need to take more sophisticated steps to guard their sensitive data. The importance is increased now that staff and executives can easily access data through mobile gadgets. In fact a recent study conducted by ISACA, a known IT benchmarking association, showed that 66 per cent of today’s organizations will now be adopting a Bring Your Own Device (BYOD) policy among their employees, yet only half of IT staff members are concerned about the risks involved.

With these risks in mind, we came up with four strategic steps toward a more secure cyber security policy:

Define and understand the organization’s key assets and penchant for risk

Align your business and its IT component on the digital assets that you feel are most important to protect.

Understand the security risks and the gaps

Assess your company’s current security capabilities and measures that have been put in place. This will allow you to predict and determine the likelihood that breaches will occur.

Define and design your cybersecurity strategy

Once you have identified the security risks and gaps, it is best to move toward designing a blueprint that acts as a roadmap toward protecting your digital assets.

Discuss these heightened measures with the CEO and the Board

These security risks are not likely to go away. Instead, they promise to remain a permanent and ongoing responsibility of the organization, which will have to keep refining its strategy and defences. Leadership should be kept informed about the security-related risks and gaps they face, so that they can understand the importance of the investments required.

With the risks evolving and becoming more sophisticated, today’s companies and organizations will need to collaborate more efficiently to combat these breaches—not only with external security experts who can advise them on issues that are difficult to see from inside, but also within their own organizations. It is only through a strong and reliable partnership between the business side and IT that companies can hope to stay above the rising tide of security attacks.

The views expressed in this article are the author’s own and do not necessarily reflect AMEinfo’s editorial policy.