Cybersecurity is turning into a social phenomenon. Investor interest, public pressure, employee demands, and governmental regulations are strengthening the incentives for organisations to track and report cybersecurity goals and metrics within their environmental, social and governance (ESG) efforts as a business requirement.
Gartner says traditional culture improvement efforts that focus exclusively on awareness are failing to facilitate secure behaviour. A key theme for security and risk management (SRM) leaders in the coming years is the increasingly distributed ecosystem that has led to a loss of direct decision-making control.
Alex Lei, VP and GM for APJ at Proofpoint, observed that in the past risk management was around protecting the data. The pandemic and the resulting hybrid work environment made it clear that ‘the person accessing the data cannot be trusted.’ He pointed to the 2022 Ponemon Cost of Insider Threats Global Report, as revealing a 44% increase in concerns regarding the threat.
Another threat that has come about from the practice of remote work is the absence of face-to-face exchanges. This presented new opportunities for attackers to take advantage of this through social engineering, advertising, services, or applications.
Supply chains are trusted relationships built over years of transactions and exchanges – many of which flowed from the physical interchange.
“As a result of the pandemic, we are seeing attackers coming in, and leveraging on the inherent trust based on the existing relationships that we already have, but they’re redirecting the money elsewhere,” said Lei.
Cultural barriers against data protection
Asked to cite any prevailing cultural trends that are stopping better outcomes when it comes to data protection, Lei commented that while there are many, he picked on one barrier – lack of communication.
“In Asia, cyber security practitioners and board-level people are not communicating effectively. There are a lot of reasons for this, but if you survey the CISOs across Asia, most of them will say that the alignment between the board and cyber security practitioners is probably less than 30% in most cases. They are talking on different tangents, require different things, and communicate in different styles,” he elaborated.
He suggested that fixing this has nothing to do with technology. “It is around aligning interests: between the company interests, and the business interests between the board level and the cybersecurity level,” he opined.
Establish corporate behaviour that is secure by design
Gartner says traditional culture improvement efforts that focus exclusively on awareness are failing to facilitate secure behaviour and have led to a loss of control amid an increasingly distributed ecosystem.
Asked whether he agreed with this assessment that there is a case of failing to facilitate secure behaviour that is leading to a loss of control and awareness, Lei conceded and added further that the traditional approach to fixing a problem by brute force almost never works.
“Where things can be very effective is when we incorporate people into the process and make them part of the program. If they own up to that issue and the program, they become accountable and they are now owners of the new outcome – that can be extraordinarily powerful,” he suggested.
Strategies for sustainable risk management practices
How can organisations improve data protection outcomes for the company in today’s distributed ecosystems?
Many organisations today operate in distributed ecosystems. Large organisations have established shared services organisations that may likely be located remotely from many of the company’s front and back-office operations.
Lei cited the use of support engineers centralised in one location and providing global support. Their job necessitates that they handle sensitive data, and they're working with both upstream suppliers and downstream providers.
They are in a complex ecosystem, and the nature of their interaction is phone calls, emails, and document sharing means handling sensitive data is part of the job.
“Maybe they want to get things done faster, and they circumvent a business process to do the job. But in doing that, they open a hole in their protection. This creates a liability for the company, regulatory issues, and room for potential hackers to come in. That is the reality of the world that we live in today. We must ensure that the business process makes sense and need to be well-designed."Alex Lei
He also posited the need to allow the right data to get to the right people in a distributed ecosystem. And equally important, according to Lei, is the ability to monitor and govern the data in use, especially if they are going out of the parameters, when they go against the policies and when they circumvent the policy.
“We must be able to identify that and enforce it somehow,” Lei concluded.
Click on the PodChat player and listen to Lei detail ways for organisations to improve cyber risk management outcomes in distributed ecosystems.
- Briefly provide a state of data protection today among organisations across Asia.
- What are prevailing cultural practices that are hindering better outcomes when it comes to data protection?
- Gartner says traditional culture improvement efforts that focus exclusively on awareness are failing to facilitate secure behaviour and have led to a loss of control amid an increasingly distributed ecosystem. Specific to Asia, do you agree with this assessment?
- Can you recommend strategies or best practices to improve how organisations can improve data protection outcomes for the company in today’s distributed ecosystem?
- What needs to happen to facilitate your recommendations?