Story image

Why the cyber security field needs to take a leaf out of medicine’s book

31 Aug 17

There’s a revolution going on in modern medicine. In the past, medicine was generalised and prescriptive. If a treatment worked for one person, it was assumed it would work for the general population. That’s not the case. Medicine has moved from this old world approach to one where doctors, and the treatments they offer, are focused first on preventing disease, and if someone has an illness, personalising the treatment, explaining what the risks and benefits of treatment are to patients in everyday language and involving the patient in their ongoing care.

So what’s medicine got to do with cyber security? Quite a bit, as it happens. Think about the way we’ve traditionally looked at cyber security. IT security teams operate outside of the business context, use language that boards and C-suites don’t understand, and don’t involve the general business in reinforcing its defences against cyber threats.

That approach has to change if we’re going to combat the ever increasing threats from bad actors. And the need for change is pressing. Last year, 4,150 data breaches worldwide exposed over 4.2 billion records – an all-time high. We’re also moving into the era of the Internet of Things, with a predicted 20.4 billion connected devices by 2020. Companies that have never written code in the last decade will be responsible for over a trillion lines of code in the next decade. So how do we protect all that?

The key is bringing precision to security, just like what is happening in medicine. The security reality is that one size simply does not fit all. So security teams have to work with business teams to make risk visible, take command of that risk, and decide what risk is worth taking and what is not. That’s the prevention aspect.

IT also has to work to personalise security for the business teams and involve them in the organisation’s security posture. Business isn’t interested in the technical details of an attack – and generally won’t understand when IT tries to explain it in technical terms anyway. What the business teams care about is impact to reputation, what has happened to customer data, and what the legal ramifications are.

And the reputational aspects are stunning. Research has found data breaches, along with customer service and environmental disaster, is one of the three top negative impacts to brand reputation. In 2016, 70 per cent of organisations in Asia Pacific and Japan reported that they had experienced a security incident that had negatively impacted operations. That means there are lots of companies that are risking reputation – one of the most important assets a business has – because they are still stuck in the old way of doing things.

As well as the reputational aspects of breaches, there are legal ramifications. New laws such as the European Union’s General Data Protection Regulation (GDPR), under which companies can be fined EUR20 million or four per cent of worldwide revenues for non-compliance, and Australia’s mandatory data breach notification laws, mean that companies simply must change their approach to security or wear the consequences.

So what’s the answer? We need to look back at medicine. IT and business must work together to identify risk, agree on common language, and work to bridge the gap between boards, the C-suite and the business’ security posture. Put another way, cyber security must become preventative, personalised and participatory. But at the same time it must also be responsive. As with medicine, you need a treatment plan should prevention fail, which involves the ability to recover from setbacks, adapt to change, and keep going in the face of adversity.

Security is no longer a technological problem. It’s a problem of communication, process and participation. More than anything, however, security is a business problem, and that must govern the way we approach it in the future.

Article by Len Kleinman, RSA’s chief cyber security advisor, APJ.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.