It’s about time we stopped talking about security…

By Dennis de Geus – Capgemini 

This may sound strange from someone who is earning a living with advising organizations on how to protect themselves from the evil threats in the digital world. So, before I’m either outcasted by the cyber community or ruining opportunities to help organizations in the future: let me clarify this a bit further.

 

Being nothing but a hygiene factor

Not a day goes by that we don’t read about another cyber attack in the news. This constant focus in the media is having its effect on the awareness for the topic with the leadership of organizations. And the cyber industry is faring well with it. New players are entering the stage with clockwork precision and if you want, you can visit another conference every week. And when I visit such conference I tend to hear the same message: “We need to invest in cyber security to protect our digital assets.” or “It is not a question of whether you will be hacked, but when you will be hacked.” I am sure you recognize them. 

 

And within organizations I hear these questions rever­berate. The interesting consequence of this type of messaging is that it is pushing cyber security in the one corner where we do not want it to be, namely the one of being nothing but a hygiene factor. Because nobody is happy if the hygiene factor is there, they are only unhappy if it’s not there. In other words, you end up in the cost discussions… “Cyber is expensive, it’s not adding value…” “Can we do it for less money?” I am sure you recognize them. So, if we want to convince the business leaders of the value that cyber security can bring, we need to stop talking about cyber security, the threats and all the things that could go wrong. And start with understanding what business challenges an organization is facing in becoming a digital enterprise.

 

Developing a cyber security strategy

When my team at Capgemini and I are working with an organization to develop a new cyber security strategy, we start with talking to business management at senior level and middle management level. And in these meetings we talk about everything except security. These meetings are designed to understand how the digital transformation is changing their business model, how operational processes are changing and how they work with partners in open eco-systems. In these meetings we are focused on gaining a solid understanding on what business challenges they are facing. On what they need to solve in order to be successful in the digital realm. 

 

Across multiple engagements to help organizations position cyber security as a leading factor in their digital transformation instead of a lagging factor, we have come across various business challenges. But interesting enough, there a quite few recurring themes. For example:

• Success in the digital world requires us to continuously shorten the time to market for new digital products and service;

• In order to be more effective as a data driven organization we need to get more value out of the data we collect from our end-customers without being incompliant;

• We need to be able to adopt emerging technologies quicker to develop new services;

• We need to be more agile in adopting hybrid cloud technologies to gain efficiency and flexibility.

These are just some examples we come across that require business management to be successful in resolving. So, what if we, the guys and girls from security, could really contribute in helping solve these challenges…

 

Two sides to the security coin

I believe we can, but this does require a different kind of approach. The kind of approach where the organization’s cyber security team delivers proactive services to the business. Services that are ready to consume and come with full support. Allow me to illustrate this through the example of the challenge about the need for getting more value out of data collected from end-customers in a compliant manner. Now of course in our security policies we have clearly stated that adequate data encryption is mandatory for customer data and, flexible as we are, we are giving the business the opportunity to choose how they want to apply this encryption, as long as it meets the standard. But what if the security team would buy, run and operate an encryption platform and make this available for the development teams with ease of use? So that by adding only a few lines of code to a new app the data will be encrypted automatically. And if we would offer a platform using techniques such as Format Preserving Encryption (FPE), we can enable the business to apply data analytics on encrypted data without being incompliant with privacy legislation. 

 

“We need to look to a more bimodal approach towards security.”

 

We even ensure that encrypted data can be processed by legacy systems as the data format is not changing, making it less complex to develop new systems and services. 

 

Naturally, we also need to consider the risks for our digital assets and protect the organization against cyber threats. Here it is important to identify the strategic cyber security risks and separate them from all the underlying security risks that are addressed by the baseline of security of the organization. The strategic cyber security risks are those 3 to 5 risks that should be of concern to a Board of Management and require individual attention. For a health insurance company, for example, one of those strategic risks would be: the theft of medical data of customers. 

 

So, basically there are two sides to the security coin. On the one side we are talking about the strategic cyber security risks and establishing a baseline of security across the organization and on the other side we are talking about delivering security services that help solve the key business challenges. 

 

It is important to realize that cyber security in a digital organization requires an operating model, which addresses these two sides taking their individual dynamics into consideration. The part where we talk about the strategic risks and baseline measures is the part where we talk about the hygiene factor of security. So, the dynamics here are about cost efficiency and minimizing the impact on the user community. The side about delivering the cyber security services deals with delivering business value, it is about contributing to the acceleration of the digital transformation. It is important to realize that different types of processes, policies and even people are needed. Establishing and maintaining that baseline of security in a cost efficient manner for example requires people that are comfortable to work with set procedures and strictly follow the security policies and standards. On the side of the coin where we talk about the business enabling security service, we need people that can act as advisors and operate flexible in DevOps teams, who have the ability to assess risks in the context of the business operations and are able to come up with innovative ways to mitigate these risks. And to clarify… I am not saying that one kind of person is better than the other, only that it is important to realize that it’s not one size fits all. 

 

In summary, I believe that we need to look to a more bimodal approach towards security, where we cannot only protect the enterprise against the cyber risks that our out there, but at the same time deliver new innovative security services that truly help solving key challenges that the business is having to deal with on their journey to becoming true digital enterprises.

 

In short:

• Cyber security questions frequently involve cleaning the policies and investments, but do not reach the key issues and challenges that lie ahead for businesses.

• Current cyber security policies mainly concern understanding what business challenges organizations encounter in their transformation towards a digital enterprise, i.e. being in compliance with data protection legislation while gaining more value of collected data. 

• This level requires a bimodal approach towards security, where both protection as well as services is provided.

 

About the author

Dennis de Geus is the head of Capgemini’s 170+ professionals strong cyber security practice, one of the leading cyber security services providers. He advices CxO’s on realizing business aligned security strategies and secure digital transformations.