Simplifying cyber security is a critical challenge for organisations. Often, they look to complex solutions, add-ons and ecosystems to secure their estates. But that complexity has driven cyber risks and costs higher, leaving some dangerously exposed.
The last 18 months have thrown up fresh challenges around securing hybrid and remote working scenarios. Some organisations introduced temporary technologies and new ways of working and inadvertently increased risk profiles and complexity, as they tried to secure tools and processes alongside existing systems, while dealing with new dangers as attackers targeted organisations in novel ways.
As organisations now look to embed hybrid ways of working into their long term strategy, there is an opportunity to rethink - and simplify - the approach to cyber security. It’s a chance to embed security into the whole organisation, to ensure resilient operations and reduced cyber risk.
Cyber security is not just a technology consideration, it’s an issue that covers people, place and technology.
Chris Gaines, cyber security leader at PwC UK, says: “If organisations are making big decisions about how and where people work, the locations they use, and their dependence on technology, their approach to security must change. That requires a review of their current cyber security posture and risks, and plans for any changes that might affect that.”
In cyber security terms, people have been woefully overlooked and underinvested in for too long. Organisations often focus heavily on technology solutions, and fail to consider the psychological and behavioural aspects of cyber security and the culture that goes alongside it.
Hybrid offers an opportunity to educate people and make them feel comfortable about security tools and processes.
Daisy McCartney, cyber security director at PwC UK, says:
“Organisations have a chance to shape their systems and processes and control to support people to be secure, rather than seeing them as a vulnerability. Security must not be an add-on or an optional, but must be designed into the way people work to ensure the most efficient way is also the most secure.”
“Currently, most tools and processes just don’t work for the majority of people; they should be seamlessly integrated and simple to use. By understanding what might be new and different - and scary - for people, organisations can help them manage and negotiate those issues, and better support them to demonstrate secure behaviours.”
This helps to build trust, empower individuals and make them feel they can take true advantage of hybrid working, ultimately making hybrid working as productive as possible. There’s a strong connection between trust in an organisation’s culture and environment and people’s approach to cyber security and compliance. No trust in the working environment will mean a struggle to create trust and empowerment in people.
To introduce secure and successful hybrid transformation, organisations must be proactive and collaborative, continually assessing and reacting to potential risks.
They must think about cyber security as early as possible. The longer it is left, the more difficult and costly it can be to secure, and the more likely it could end in a breach or incident. Organisations that look to reduce complexity and address cyber security early can more easily establish a framework for governance and shared responsibility, and are more likely to see the benefits of simplification quicker, which can often be large and extend far beyond cyber security itself.
To ensure proactivity, cyber security leaders must be included in discussions about hybrid transformation, so they can see where challenges will arise in any strategy.
Chris Gaines, cyber security leader at PwC UK, says:
“Open collaboration allows the whole organisation to really understand security risks up front and make informed decisions to mitigate risks while achieving their goals. Boards who have closed conversations around hybrid transformation and dictate decisions to their security teams are likely to see costs, complexity and risks increase.”
Alongside those activities, cyber risk reporting is essential. To stay on top of cyber challenges throughout a transformation, organisations must analyse risk regularly and look at how potential changes affect their risk profile.
By using security risk dashboards, organisations can assess their current status and the impact of hybrid transformation. This information can be a powerful tool in assessing risks and opportunities and by tweaking parameters, it’s possible to see what planned changes look like from a security perspective and establish actions to mitigate risks.
McCartney says: “Cyber security isn’t there to stop progress or hinder hybrid transformation, it just needs to be baked into decisions early on, so organisations can evolve securely. It’s much easier to implement these solutions from the beginning when designing new systems, technologies, processes and ways of working, rather than adding security fixes reactively. Typically, risk, vulnerability and cost increase when security is an afterthought.”
Organisations that consider cyber security early in a hybrid transformation - or better yet, use it as a starter for that transformation - will create a more resilient operation, empower people and reduce cyber risk. Even for organisations that have begun their hybrid transformation, it’s never too late to think about cyber security. The earlier it is addressed, the easier it is to remedy - from both a complexity and cost perspective.
To discuss any of the topics raised in this article, please get in touch.
This article is part of a series that looks at the critical role technology can play in an organisation’s hybrid transformation. Look out for the other articles coming soon.