Instead of viewing security system quotes as a technology function, enterprises must see it for what it is – a business risk management program that is crucial to their survival. It should therefore be top priority, taking front and center in every decision. The challenge is that as enterprises continue to digitize, they increase their exposure to attack; it will be a tough call to choose between the benefits of digitization and security, because no organization can have 100% of both.
Enterprises may also want to rethink the scope of cybersecurity – how far outside the organization it extends, what all it covers, and so on. The pandemic provided the perfect setting for this. With the shift to remote working, employers were forced to bring employees’ homes within their security perimeters. In some cases, this called for redrawing the cybersecurity operating model and business continuity plans to cover a widely dispersed workforce.
Then the disruption of supply chains drove home the need to focus on risk and resilience. With vendors and distributors also experiencing the same things – for example, digital adoption and remote working – it was important to include their businesses in cybersecurity assessments. Between pandemic-lockdowns, climate change events, and acts of aggression, organizations have accepted supply chain disruption as a fact of life. Collaborating with supply chain partners to build joint cyber-resilience should be high on the agenda.
That brings us to one of the biggest shifts required in organizations’ security mindset. Historically, enterprises have been more reactive in their approach, focusing on defending against threat. But given that cyberattacks will only grow in variety, frequency and ferocity, and so will environmental risks, it is imperative to progress beyond cybersecurity, towards cyber-resilience in an attempt to thwart bad actors before they strike. Apart from being proactive, cyber-resilience differs from the old approach by accepting that security incidents are inevitable. With that acceptance, it focuses on improving detection, alertness, and response in those situations.
All these mindset changes – in priority, scope and coverage, and from maintaining security to building resilience – suggest that organizations should deploy future investments in proactive defense, anticipating attacks early, responding to events in real-time, and trying to contain damage rather than fixing it. And of course, they need to protect data and applications wherever they may be. In the digital – and especially post-Covid – age, that could quite literally be anywhere. As enterprise workloads increasingly move into cloud, and the remote work model sustains, the traditional practice of securing the network perimeter is no longer effective.
Since neither data nor the workforce is restricted within enterprise boundaries, security needs to go from being network-centric to becoming user-centric. Indeed, this is the basic principle of zero-trust architecture (ZTA), which seeks to safeguard users, resources, and assets where they are, instead of protecting static perimeters.