I speak at a lot of events and talk to a countless number of corporate leaders about cybersecurity every year. Given the opportunity I ask these people one simple question: Why do you invest in cybersecurity? I usually get a version of the same three answers:
1. To protect my network.
2. To remain compliant.
3. Because I don’t want to get hacked.
I don’t know if these answers concern anyone else, but they concern me. As a cybersecurity professional, this tells me that either something has been lost in translation over the last thirty years, or that—as cybersecurity professionals—we’re not getting our point across.
Stay with me on this to see what the correct answer to the question should be.
If we all remember, “IT” stands for Information Technology and the original focus of “IT” teams was on the data: how the data was distributed, how the data was stored, and how the data was accessed. IT professionals were programmers, database specialists, data processors, data engineers/managers and, yes, network engineers.
In today’s world, IT Managers and the IT departments they manage are primarily focused on network technology, connectivity, and break-fix. Thirty years ago, cybersecurity was very different. Connectivity was limited and rare. The internet was expensive and wasn’t an automatic in every household, business, automobile or airplane.
And, if you had the internet (or point-to-point connection, or however you connected your new computer to another computer for the purpose of accessing “remote” data), you had to use a funny noise-making modem thingy connected to your telephone line. Back thirty years ago, we still used reel-to-reel tapes and floppy disks to store and backup our data. One meg of data could take all night to download. As a 3rd-shift Data Processor for a small Texas insurance company in the 1980 somethings, the speech my manager gave me, which amounted to cybersecurity training, consisted of “whatever you do, don’t open the loading dock door for anyone”. Some of you reading this may remember what an IBM mainframe weighed. Computers and connectivity were complex in form, but very very basic in function. It was all the access of very defined data.
As we run the time-lapse video in our heads from the 1980’s to the present, a lot has changed. The internet became more established, accessible and faster. We demanded that our networks were more accessible and faster 24-7-365. No downtime, immediate gratification, performance, and never-ending up-time.
Our focus has shifted to the networks responsible for delivering the data, and in turn, moved away from the foundational data itself. Moore’s Law created a constant, never ending cycle of network technology upgrades. As business leaders we became consumed with “our networks”. We had to have the newest, fastest, most advanced network hardware and software. We “locked down” the gateway with firewalls, smart firewalls, next generation firewalls and now unified threat management devices. We built anti-virus, anti-malware, and now anti-ransomware software.
Then virtualization came along, and we could spin-up new networks virtually. Then the cloud. Now we’re not entirely sure where all our networks exist. We have forgotten the sandboxes in our neighbor’s backyards running honeypots that would make Pooh envious. Right now, our IT Managers are tasked with managing the complex world of network design, cloud integrations, upgrades, bandwidth, VOIP phone systems, IoT, and device access control. Not-to-mention in most cases, device deployment, help-desk and break-fix. They’re so overwhelmed with the network that there’s no way they have the bandwidth to manage our data gone wild. IT Managers need help from the layer ultimately responsible—the executive layer.
So, it’s now 2019, and we collect, store, and access more data than at any time ever in the entire history of mankind.
And before I ask my question again, let me leave you with one of the first things I was told as I entered my first entrepreneurial class in college, way back in 1980 something. As we began class, the professor opened by saying “The secret to success is simple. Always make sure to remember that it’s a privilege to have customers. It’s never their privilege to do business with you”.
By the way, the answers listed at the top of this article are incorrect. Here's why:
1. Investing in cybersecurity is actually about protecting critical data.
2. Compliance requirements were only put in place because we lost public trust.
3. Fear of getting hacked just means that you're acting out of panic.
The real reason we invest in cybersecurity is directly tied to the trust our customers have loaned us as a means of earning their business. Because of that loaned trust we must protect our customer’s data. That's the answer I'm always looking for.
To do this, it takes executive leadership and a keen understanding. No matter what business we’re in, our customer’s, employees, shareholders and partners are trusting our businesses enough to loan us a piece of who they are.
The next time your board or investors ask you why you invest so much in cybersecurity, the answer is simple. It’s the interest on the loan our customers, employees, and partners have given our business.
Learn more about IGI's approach to cybersecurity and discover what services your company can benefit from.
