Cybersecurity in 2022: The Need to Tie Together Security with Policy Management
2021 was a challenging year for cybersecurity. We saw interrelated threats exploiting the vulnerabilities in an interdependent world.
As digital transformation accelerated, our threat vectors multiplied in tandem — and what emerged was a more significant number of unknown vulnerabilities than ever before. For example, Check Point’s report found a meteoric rise in supply chain attacks last year, of which just 16% were due to new risks. Further, this challenge isn’t going to go away any time soon. Enterprises have discovered a new way of doing business, built on all-new operating models with digital at the core. A degree of cyber risk is, therefore, inevitable.
So, how does one continue on the current digital track while keeping risks to a logical minimum? After all, security reasons cannot (or at least should not) hold back modernization, efficiency, and growth. It is where policy management must play a role. A robust policy management function with due procedures documentation will help share security ownership between IT and the rest of the business.
What Does it Mean to Tie Together Security with Policy Management?
Cybersecurity policies and procedures distil the technical measures that IT adopts to fight risk into insights and action points that a business user can understand. Guidelines exist in an organization in some form, but most often, they only determine technical configurations and not business or people decisions.
A robust policy and procedure document acknowledge that cybersecurity is not the onus of IT alone. Every enterprise department, function, and office region is connected; a minor vulnerability can quickly multiply into a significant threat. Holding IT responsible (and IT alone) only holds back cybersecurity capabilities and pushes the first line of defence too far into the organization.
Instead, enterprises should approach security policy management from the same vantage point as other governance functions. It entails:
● Documentation and knowledge consolidation — Policies cannot exist as tribal knowledge or technical spec sheets. New employees, team leaders, and decision-makers must be prepared for broader consumption. In addition, there must be a regularized method to consolidate and update security knowledge to keep up with market trends.
● User awareness training — Policy dissemination is a big part of policy management until the last mile. The workforce must be aware of the plans, policies, and procedures in action or know the checks and balances in play, which influence their daily tasks. While documentation is a background, passive activity, training must be proactive.
● Inter-functional collaboration — A cybersecurity policy document is not the responsibility of IT, CISO or tech alone. Instead, it must consider inputs from various teams, who all have a stake in enterprise governance. For example, it includes legal, HR, procurement, risk management, external regulators, audit practitioners, and consultants if needed.
● Decision-making impact — Ultimately, the purpose of tying cybersecurity with policy management is to influence decision-making at every level. From a grassroots worker thinking about installing a SaaS app to the procurement team making a supply chain decision — cybersecurity has to be a driving factor for the choice.
3 Reasons Why Security Policies and Procedures Are Mission-Critical in 2022
It might have been enough to have a standalone security operations centre (SOC) connected to IT in a pre-pandemic world, overseeing cybersecurity implementation across the enterprise. But now, with every team, employee, process, and home office becoming a potential threat vector, security policies and procedures are mission-critical. The World Economic Forum’s Global Cybersecurity Outlook 2022 report mentions three worrying trends that necessitate better documentation:
1. Business executives and security leaders are not on the same page
At least there is a consensus around the need for greater cyber resilience. 87% of executives plan to improve cyber resilience by strengthening their policies in 2022. However, while 92% of business executives feel that there is already sufficient integration between cyber resilience and enterprise risk management, only 55% of security leaders agree. There is an apparent disconnect and a chronic need for more robust policies.
2. Cyber resilience is still not part of overall risk management in 32% of cases
In an even more worrying statistic, just 68% of organizations believe cyber resilience is a significant part of their overall risk management strategy. It means that more than 3 in 10 enterprises are left exposed to a growing number of risks as they deprioritize the role of cybersecurity. Business executives do not consult with IT or SOC when making decisions, and the policies formulated by IT teams do not permeate to the grassroots level.
3. Lack of policy documentation translates into lacklustre security recruitment
There is less push to bolster the security function without a consolidated body of policies, documentation, and governance guidelines. Ultimately, organizations will hire less staff and take on more contractual or gig workers, as they do not perceive security as mission-critical. So, it is no surprise that 59% of organizations would find it challenging to respond to a cybersecurity incident due to a shortage of skills within their team.
The Way Forward
The security events of 2021 point to an urgent need to build a more robust policy management at the enterprise centre. The policies must glue cybersecurity or data leakage prevention behaviour down to the grassroots. The technologies are available and ready to use. Advanced cybersecurity tools using AI and ML are available on SaaS models, and there is a genuine push to upskill a new generation of cybersecurity talent. But, a link between cybersecurity and policy management is at the heart of this shift. Enterprises must recognize security’s pervasive role in 2022 and plug the gaps urgently.
Have you taken stock of the state of your cybersecurity policy and governance lately? Join the conversation by commenting below. You can also email me at Arvind@AM-PMAssociates.com.