It is commonly understood that security – or specifically cybersecurity in the modern-day organisation – is everyone’s responsibility, but what does that mean?In the same way as fiscal discipline is managed today, security can and should be connected to the very fabric of the business.
Yet, weaving cybersecurity into corporate strategy, product design, budgeting, and daily business activities, may require a cultural mindset shift both within the organisation and in terms of its associated investments.
Whether you are developing a new process around customer engagement, launching a new product, or creating new services, the security executive needs to be involved at every stage from vision to implementation.
It is high time companies elevate the role of the security executive from an IT security leader to a trusted business enabler.
In turn, security executives must embrace business conversations that identify security risks in a way that is easily digested by the business leaders who are responsible for making risk and funding-related decisions. The Consumer Goods and Services (CG&S) industry especially, demands this now more than ever.
Infusing security into the fabric of the organisation
In our recent study Conspicuous Security Consumption – Achieving Cyber Resilience in Consumer Goods and Services, we discuss how CG&S companies can successfully become cyber resilient.
After decades of mergers and acquisitions, many CG&S companies have been left with large, decentralised organisational models that emphasise individual businesses or brands.
This modus operandi has opened the door to increased cyber risk due to inconsistent security maturity across the organisation. Many are not addressing new threats that are emerging across the value chain in product development, manufacturing, supply chain, and customer operations – areas which, if breached, could have a material impact on the business.
Security priorities in the CG&S industry have so far been set on protecting traditional IT services and assets, like e-mail, IT data centres, enterprise applications, and desktop environments.
However, the increased sophistication in cyber-attacks means that security executives need to now focus on infusing security mechanisms into the fabric of the organisation’s strategy.
This way, CG&S organisations can build cyber resilience to operate effectively despite persistent threats, sophisticated attacks, and disruption.
Key results from the South African study
Although organisations are investing in cybersecurity on an extraordinary scale, the current priorities show that much of this spending is misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness.
Of the nine security technologies identified in a survey, five had a negative value gap where the percentage spending level is higher than the relative value to the business. CG&S organisations usually fail to make a positive impact on their risk posture.
Of the CG&S companies surveyed, 50% of executives recognise they need to improve on cyber threat analytics and 46% on security monitoring. Both of which are the ‘basics’ of security programs.
Furthermore, 50% of security breaches experienced by CG&S organisations prove to have been linked with customer data in the last 12 months, and over 43% of CG&S executives said that they had suffered an interruption of physical operations or shutdown of assets as a result of a breach.
This further highlights the severe effects of a data security breach in the industry. While 34% of CG&S executives say that their cybersecurity budget authorisation is with the CEO/Executive Committee, (which is more than the global average) only 26% of CG&S executives think they are effectively protecting their physical infrastructures and assets with their cybersecurity strategy.
It is clear, therefore, that cybersecurity in CG&S in South Africa still needs to be improved greatly, and organisations require not only guidance but practical tools to improve their risk posture.
Ways to improve risk posture
Securing the journey to the cloud
Many CG&S companies see the cost-effective cloud as the answer. Moving applications, workloads, or whole data centres to third-party providers.
This transition offers an opportunity to re-examine the business infrastructure and operations to design security in at the heart of organisational strategy, building resilience.
Building trust in direct-to-customer initiatives
CG&S companies are creating strategies to deepen direct consumer relationships and use data analytics to inform the operations of the business.
Artificial Intelligence (AI), analytics, and machine-learning-enabled initiatives allow them to mine large consumer data sets to better engage customers, manage promotions, and understand buying and consumption behaviours.
This is also useful for security to pre-emptively account for the new risks and protection obligations that come with this or any new data set.
Managing operational technology (OT) risk
Advancements in OT have enabled the introduction of internet-connected devices and services for the remote management and monitoring in factories, but security is rarely a priority in comparison to the daily running of the factory.
As a result, in recent times security executives have been forced to turn their attention from the IT to the OT environment, which has a unique set of challenges:
- A lack of security accountability,
- Inconsistent security processes,
- Inconsistent technical controls, and
- Incomplete asset visibility.
Business and manufacturing functions are embracing digital technologies – from the adoption of cloud to connected factories and supply chain to direct-to-consumer channels.
As their organisations transform, so too must their cybersecurity strategies and how they are handled. Cyber attacks can not only result in operational disruption but also affect the beating heart of the business. Organisations need to, therefore, pre-emptively identify and prioritise high-risk areas.
The security executive needs to be more of an enabler of processes who are involved from the planning phases avoiding disruptive or cost-prohibitive remediation activities ‘after the fact’, which is common practice as new regulations are introduced.
Security should inform the strategy, not to interfere with innovation, allowing organisations to innovate faster.
CG&S organisations need to allow security executives to establish visibility and influence on business outcomes, rather than solely on IT outcomes. They should have ‘a seat at the table’ during business planning, strategy, and design processes to inform decisions, de-risk innovation challenges, and build a more resilient business. The outcome? A business that is secure, by design.
We fully embrace participation in the Fourth Industrial Revolution (4IR) and have been actively innovating in the technology world for many years prior.
Securing digital transformation is a core theme and we have become an intelligent operations partner-of-choice for organisations who wish to seamlessly navigate through the ebbs and tides of digital transformation to navigate the waves of success in this perpetual ocean of change.
We have worked with clients across the globe to plan and manage cloud rollouts to be compliant with local regulations, assessing, mitigating operational risks and helping gain regulatory approval.