IT security has definitely crossed the boundaries of the IT department. It now ranks number one in the top three concerns of business leaders. The global situation shows a frightening rate of cybercrime (+300% in the USA according to the FBI*, x4 in France according to the ANSSI**) even leading a few companies to bankruptcy (especially SMEs) and representing 1% of global GDP in 2020 according to McAfee.
Remote work, the use of connected objects, and shadow IT from unsecured or poorly secured devices have widened the attack surface for cybercriminals who have industrialized and sophisticated their methods. It has become a lucrative business for them, mainly fueled by the fear of victims of potential substantial damages, both from an operational and reputational point of view. Juggling between "big game hunting,” "double extortion" and "RasS" (Ransomware as a service), cybercriminals do not hesitate to directly ransom the end customers of the hacked organizations for smaller but more numerous amounts in case of non-payment of the coveted bribe from the initial company.
However, the ransom and the associated reputational costs are not the only fees that companies have to pay when they are victims of a cyberattack. Organizations sometimes face massive losses in productivity and bear the associated costs related to data recovery and reconstruction of the information system. According to a study conducted in 2020 by the Ponemon Institute and IBM, on average it takes 207 days to identify a data breach and 73 days to contain it. On top of this, a fine from regulators can raise the bill dramatically, especially if the company is unable to prove that it had taken proactive compliance initiatives to implement the necessary controls and policies to protect its data and network before the attack.
The estimated average cost of a data breach according to the Ponemon Institute and **** study is $3.8 million. But it can go much higher: $57M for Google, £20M for British Airways, and €18.6M for Telecom Italia, just for the GDPR regulation! A lack of cyber hygiene can prove to be very costly when exposed to a cyberattack.
CIOs are nowadays caught between the rise of cybercrime and the complexity of the regulations they must comply with, both nationally and internationally. Not to mention all the industry standards frameworks that can also differ by industry, geography, and data criticality.
The real cybersecurity challenge is to manage all those applicable regulations coming from several thousand regulators, who generally use different syntaxes, taxonomies, and protocols and see security through their own lenses.
The burden related to the management of those multiple regulatory frameworks, tests, and controls represents a sizeable effort for companies in terms of human capital, financial capital, and time – all to the detriment of their main activity. The stringent organization is, therefore, a must.
Compliance - and especially IT compliance, requires the achievement of a complete and reliable 360-degree view of the company's IT assets. This holistic blueprint then serves as a platform to map regulatory guidance typically coming from a content data aggregator to a set of shared controls. The main benefit of this approach is to share compliance efforts across multiple regulatory standards and to provide evidence of ongoing initiatives when things start heading south.
However, making the organization continuously IT compliant and secure requires more than just mapping controls to IT assets. It usually starts right at the inception phase of the IT architecture. By taking a zero-trust approach "by design" regarding IT security, organizations can slowly move away from the prime reliance on patch management.
The process implies a strong collaborative effort from previously siloed departments or functions: security managers, enterprise architects, risk and compliance managers, administrators, etc. Ultimately, achieving this symbiotic relationship using a risk-based approach is key for organizations to benefit from an IT architecture that is capable of achieving business objectives.
Implementing a robust security architecture is crucial for cybersecurity compliance. Beyond traditional security tools such as firewalls, antivirus, or VPN software, security architecture encompasses the entire information system and the means necessary to protect the IT infrastructure. More broadly, it defines the roles and responsibilities of each stakeholder in the security processes.
This whole effort of compliance and IT securitization is far from being limited to large companies. Quite the opposite, in fact. The vast majority of cyberattacks originate from a breach through a third party. Service providers and subcontractors, small consulting firms, and suppliers are the preferred targets of cyber-criminals because they can provide unlimited access to larger companies.
Consequently, compliance attestations to IT security standards are very likely to become a prerequisite when selecting a new business partner. This is already the case with the European DORA (Digital Operational Resilience Act) regulation that requires third parties of financial institutions to go through audits, questionnaires, and security scoring according to the criticality of service they provide.
IT security has really become everyone's business, from the management team to the most recent employee, whatever the size of the organization and whatever its sector - public or private. Especially because we know that 95% of cyber incidents are caused by human error. It is up to the management committee and the CIOs to set the tone from the top for cybersecurity and compliance. They must demonstrate strong support for the implementation of a state-of-the-art IT security architecture and lead by example in their daily interactions without any special privileges and with ethics and integrity.
* Entrepreneur.com: FBI Sees Cybercrime Reports Increase Fourfold During COVID-19 Outbreak (20/04/20)
** ANSSI : Cybersécurité, faire face à la menace (February 2021)