In it's recently released podcast "Protecting against cyberattackers", McKinsey Insights featured an interview with James Kaplan - Principal at McKinsey who leads McKinsey's capabilities in global IT infrastructure and cybersecurity. James is co-author of popular book - "Beyond Cybersecurity: Protecting Your Digital Business". In this podcast, James makes some interesting observations from his research with more than 200 companies on cybersecurity strategies and practices:
Companies are falling behind the cyber-attackers:
Cybersecurity and protecting business and customer information is increasingly becoming strategic concern, but still companies are falling behind the cyber-attackers. Hackers and their attack methods are advancing at much rapid pace than the improvements in security practices of companies.
Tension between security and tech innovations:
Companies are often finding security to be the long pole in the tent. Security prerequisites are making it harder to innovate and capture value from technology innovation. Security concerns are delaying the adoption of technology innovations in fields of cloud, mobility, internet-of-things (IoT). Advances in cybersecurity technologies is needed to tackle this. In fact, he estimates that the loss of economic value due to these delays in adopting cybersecurity capabilities is in tune of USD 3 trillion! See more findings from this study here and here.
Organizations must build digital resilience:
James suggests that organizations should build a digital resilience to protect themselves from cyberattackers. Security should not be a worry of security or audit department only, but should become part of every business process and planning. He makes a very good analogy with the way automobile industry did in 1980s to incorporate quality in each of their business functions. Similar inclusion of security practices is needed today to make companies digitally resilient. Focus needs to shift from putting a security layer on the top of application to building security into all layers of business processes, technology environments and day to day actions that people undertake.
Just throwing resources is not enough to protect against cyberattackers:
In his research, James found that only 10% of companies have mature set of cybersecurity practices like:
- knowing who the attackers are and what are the attack vectors to protect from;
- identifying what assets need to be protected;
- priortizing potential investments and policy making; and
- ensuring that decisions made were implemented holistically and comprehensively
However, there are many companies who are low on cybersecurity maturity, but high on cybersecurity spend (defined as percentage of security spend of the overall IT spend). Companies are having large security teams and have procured security technologies, but have little insights into what to protect and how. This throwing of resources is not helping much in protecting against cyberattackers.
James suggests that with organization becoming digitally resilient, this can improve. Boards of companies should invest more time and effort into cybersecurity. They should ensure that security gets on agenda of the board, CSOs get sufficient attention from the board, ask tough questions on cybersecurity readiness, trade-offs being made between security and business needs and ensuring the necessary allocation of management resources for cybersecurity programs.
Podcast is a good collection of insights into cybersecruity practices that enterprises should follow. Thanks James Kaplan for sharing them with the world. SecureDB appreciates and wholeheartedly supports this initiative.