Compliance and audit-oriented 'tick-in-the-box' practices are still underpinning many InfoSec strategies. Huge sums of money are being spent on supposedly 'one-size fits all' reactive solutions to one-off threats. However, such a firefighter mentality is at odds with the holistic, preventive protection that an efficient 21st-century InfoSec strategy requires.
Cyber threats have become increasingly salient for most organizations, with potentially fatal consequences in terms of operations, finance and reputation. The board must realise the growing ubiquity of such threats—and the hard, cold fact that cyber-attacks are no longer a matter of 'if' but a matter of 'when'.
This is not just a technology problem
Your organization forms the most efficient shield against potential threats, and as such a transition towards an effective InfoSec Governance is the only way ahead. A clear, simple and consistent security mindset must be embedded at every level of the organization. For many large organizations, this is no longer a matter of awareness development, but a profound matter of cultural change.
Rome was not built in a day. Neither will a lasting InfoSec culture.
As with any organizational change, it will always be a medium to long-term journey.
For most of the Roman Empire’s glory, the protection of the city of Rome was deemed a secondary issue which could be addressed on an ad-hoc basis with interventions by the Roman army. It took the Romans more than 300 years, and the pressure of a growing crisis due to barbarian threats, to finally decide to build the Aurelian Walls as a consistent and lasting security strategy for their city. They took four years to build, but they protected the city for almost two centuries.
As cyber security transformation experts, companies working in InfoSec feel a lesson can be drawn from history. Most organizations’ current approach to InfoSec is, in many regards, very similar to that of overconfident Roman emperors—short-term oriented, overly expensive, and inefficient in the face of growing threats. Good practices have existed for decades and will go a long way to protect against those threats, but they need to be in place.
In that respect, for many large organizations, driving cyber security change starts by looking back and removing the roadblocks that have prevented action in the past. All of those – under-investment, adverse prioritization, complacency – do challenge governance and cultural practices up to board level. Addressing them is a complex management exercise, and definitely not an IT matter.