Growing Board Awareness and the Connection to Security Culture
CSO magazine predicts that cyber-crime damage costs could reach $6 trillion annually by 2021, representing the “the greatest transfer of economic wealth in history” and “risking the incentives for innovation and investment … more profitable than the global trade of all major illegal drugs combined.”
The importance of creating and sustaining a culture of security is increasingly being recognized; the tone from the top is changing. Executives and Board members are being held accountable for proactively addressing cyber security risk at people, process and technology levels. This accountability is driving higher investment (expected to exceed $1 trillion from 2017-2021) in security programs, and in turn, informing the priorities and tone of leaders at all levels.
A stream of high-profile data-breach-driven executive exits illustrate how seriously shareholders and the public now view a lack of cyber security capability. The level of awareness that one would formerly only expect to see in financial services and healthcare is gradually expanding to virtually every corner of the public and private sector, particularly in North America and Europe. Awareness drives action.
Security by Design
Application security is finally receiving the respect it deserves. For anyone who subscribes to Marc Andreessen’s philosophy that ‘Software is Eating the World’ (and well, isn’t it?) one could argue that designing security into software (and hardware for that matter) is bordering on becoming a moral obligation.
To understand the most pervasive threats and how to mitigate them, look no further than the recently updated OWASP Top 10 list. For those who may be unfamiliar, OWASP (Open Web Application Security Project) is a vendor-neutral non-profit community that publishes excellent (and free) application security resources, research and reference materials. You can find additional secure design guidance from the National Institute of Standards and Technology (NIST).
The Rising Popularity and Adoption of Risk Based Frameworks
Speaking of NIST, the growing complexity of information ecosystems combined with Board level oversight of same, are contributing to the long overdue rise of risk based frameworks for managing technology risk across organizations today. While risk based frameworks have long been used outside of IT to manage financial, operational and regulatory risk, such sophisticated governance of technology risk has been slower to catch on.
Whether an organization selects NIST, ISO, COBIT, HITRUST or another framework, is less important that the decision to use a framework at all. A risk based framework helps organizations prioritize security program investment, track progress in closing gaps over time, and to communicate in a consistent way across periods and business units. Frameworks also help inform a culture of calculated risk minimization over the completely unrealistic target of risk elimination.
This year, I am grateful to see excellence in cyber security being more widely embraced by technologists, expected by consumers, and driven by leaders. While there is a long road ahead, I firmly believe we are collectively headed down the right road, and picking up speed.