Why cyber security must be a C-suite priority
Digital technology has fundamentally changed business practice over the past decade. Cloud based applications dominate, workers routinely access corporate information remotely via smart phones and access to the corporate network increasingly includes supply chain members, contractors and part time workers. Yet cyber security has failed to keep up – and some of the responsibility has to lie with the C-suite.
Why are cyber security experts not involved from day one in every strategic decision? Why are businesses still expecting the security team to take responsibility yet leaving deployment in the hands of multiple departments, from application development onwards? It is time to address the fragmented, outdated, reactive attitudes to cyber security that still dominate. By failing to embrace security expertise and innovation up front, businesses are incurring far too much risk. Adam Boone, Chief Marketing Officer, Certes Networks, insists it is time make cyber security a priority for every C-suite.
Exploding Attack Surface
While it is hard to imagine a new business initiative or strategic development that is not IT driven, only 45 percent of boards participate in overall security strategy. Yet not only is technology underpinning every aspect of business, the increasingly fluid and agile way in which businesses now operate has fundamentally changed the threat landscape, most notably by massively expanding the attack surface. The number of applications now being used by a huge and diverse user base, both within and outside the organisation, across personal smartphones, in the cloud and, of course, IoT devices, has created a level of risk never before encountered. Each one of those users or end-points becomes a target, a point of potential vulnerability. Just consider that one hacked company can compromise the operations of every business along an entire supply chain. Or a single contractor who is compromised by an attack can become the steppingstone into the heart of your company. Cyber security practices clearly have not kept up with this exploded attack surface, the near daily exposure of breaches confirms.
The implications of this lack of senior level participation in cyber security strategies are tangible. First of all, security is reactive, with experts consulted after strategic business decisions have been taken and IT deployments rolled out – leaving gaping holes in the security plan that simply cannot be effectively filled retrospectively. Secondly, responsibility for security is not centralised but fragmented across multiple silos – from application developers to network teams and those responsible for remote access or end-point protection.
The result is that while security may be tasked with safeguarding the business, achieving that objective can require interfacing with up to eight different groups – all of which are focused on their own areas of responsibility, rather than security. In some cases security is not the overriding, top priority of these teams, who are focused instead on application or network performance and other fundamental functions. Even then security procedures and tools are implemented piecemeal, creating a fragmented and confused picture across the organisation.
While security remains a secondary business consideration and security teams lack central control, the corporate risks will continue to rise.
Best Practice in Cyber Security
The difference between those organisations that have a top-level commitment to security and the rest is stark. The best practice approach ensures security is considered, evaluated and incorporated into the planning stages of every corporate strategy – not addressed after the fact.
Furthermore, a dedicated security team – preferably led by a Chief Information Security Officer (CISO) – has full, centralised control over policy and implementation enabling the business to achieve uniform security across the entire enterprise, rather than the fragmented, even contradictory solutions often deployed on a departmental basis.
Critically, with security people involved in the planning stage from day one, the company can ensure best security practices are baked in to the project from the outset – and that best practice cyber technologies can be embraced to both improve defence and drive business value.
For example, replacing a traditional – and vulnerable – rigid firewall with a software-defined perimeter that is far more fluid enables a business to remain secure despite constant operational change. A software-defined perimeter that is disconnected from the infrastructure can drastically simplify the complexities of adding or removing cloud applications, or granting mobile access for a specific set of workers. Similarly, the adoption of software-defined Wide Area Networks (SDWAN) enables organisations to securely embrace the lower cost cloud computing model while maintaining every aspect of the security posture – from policies to encryption.
Essentially, with a centralised approach and a security strategy aligned with business direction, organisations can move away from outdated thinking about securing the perimeter. Simply put, security can no longer be about managing devices and networks. It must instead be focused on managing users and applications, and tightly aligned with the business objectives associated with both. For example, role-based access control can enable an enterprise to consistently enforce policies across the range of users and applications, directly aligning that critical security function of remote access with the overarching business objectives. Which applications do physicians need to access in order to do their jobs? Which do the nurses need? Which should never be accessed by either?
The most effective approach enforces these policies in the actual access control process itself, building on existing policies for user access and identity management. Then, when access is to be granted, the application traffic is protected by cryptographic segmentation that prevents it from being accessed by the non-permitted users.
This approach has the added benefit of blocking unauthorised lateral movement, which is the hallmark of modern data breach vectors. If all applications are protected by real-time role-based access control, and if all user access is limited to only what a user needs to do their jobs, then the compromise of one user does not grant access to everything. Lateral movement is constrained and the breach is contained.
Organisations that embed this software-defined model within strategic planning not only minimise risk but also support business innovation. Consider a company looking to deploy a new application to its workers that will increase productivity by 40 percent. Roll that out to the 50 percent of staff that work at HQ and the benefits are clear; but build in security planning from day one and that application can be securely extended to mobile workers on their smart phones and part time contractors – suddenly the 40 percent productivity gain is massively extended, boosting performance and delivering ROI for the application itself far, far quicker.
When every business decision has a technology implication, cyber security clearly needs to be led from the top; it must be organisation-wide rather than silo-focused; centralised and consistent. Done well, security is not simply a defensive strategy, but an enabler of better enterprise performance – and those organisations with a C-suite that prioritises cyber security are not only in a far better position to minimise risk but also well placed to drive tangible business value.
Automation of repetitive tasks leads to higher value work
Two-thirds of global office workers feel they are constantly doing the same tasks over and over again. That’s according to a new study (2021 Office Worker Survey) from automation software company UiPath.
Whether emailing, inputting data, or scheduling calls and meetings, the majority of those surveyed said they waste on average four and a half hours a week on time-consuming tasks that they think could be automated.
Not only is the undertaking of such repetitious and mundane tasks a waste of time for employees, and therefore for businesses, but it can also have a negative impact on employees’ motivation and productivity. And the research backs this up with more than half (58%) of those surveyed saying that undertaking such repetitive tasks doesn’t allow them to be as creative as they’d like to be.
“When repetitive, unrewarding tasks are handled by people, it takes time and this can cause delays and reduce both employee and customer satisfaction,” Gavin Mee, Managing Director of UiPath Northern Europe tells Business Chief. “Repetitive tasks can also be tedious, which often leads to stress and an increased likelihood to leave a job.”
And these tasks exist at all levels within an organisation, right up to executive level, where there are “small daily tasks that can be automated, such as scheduling, logging onto systems and creating reports”, adds Mee.
Automation can free employees to focus on higher value work
By automating some or all of these repetitive tasks, employees at whatever level of the organisation are freed up to focus on meaningful work that is creative, collaborative and strategic, something that will not only help them feel more engaged, but also benefit the organisation.
“Automation can free people to do more engaging, rewarding and higher value work,” says Mee, highlighting that 68% of global workers believe automation will make them more productive and 60% of executives agree that automation will enable people to focus on more strategic work. “Importantly, 57% of executives also say that automation increases employee engagement, all important factors to achieving business objectives.”
These aren’t the only benefits, however. One of the problems with employees doing some of these repetitive tasks manually is that “people are fallible and make mistakes”, says Mee, whereas automation boosts accuracy and reduces manual errors by 57%, according to Forrester Research. Compliance is also improved, according to 92% of global organisations.
Repetitive tasks that can be automated
Any repetitive process can be automated, Mee explains, from paying invoices to dealing with enquiries, or authorising documents and managing insurance claims. “The process will vary from business to business, but office workers have identified and created software robots to assist with thousands of common tasks they want automated.”
These include inputting data or creating data sets, a time-consuming task that 59% of those surveyed globally said was the task they would most like to automate, with scheduling of calls and meetings (57%) and sending template or reminder emails (60%) also top of the automation list. Far fewer believed, however, that tasks such as liaising with their team or customers could be automated, illustrating the higher value of such tasks.
“By employing software robots to undertake such tasks, they can be handled much more quickly,” adds Mee pointing to OTP Bank Romania, which during the pandemic used an automation to process requests to postpone bank loan instalments. “This reduced the processing time of a single request from 10 minutes to 20 seconds, allowing the bank to cope with a 125% increase in the number of calls received by call centre agents.”
Mee says: “Automation accelerates digital transformation, according to 63% of global executives. It also drives major cost savings and improves business metrics, and because software robots can ramp-up quickly to meet spikes in demand, it improves resilience.
Five business areas that can be automated
Mee outlines five business areas where automation can really make a difference.
- Contact centres Whether a customer seeks help online, in-store or with an agent, the entire customer service journey can be automated – from initial interaction to reaching a satisfying outcome
- Finance and accounting Automation enables firms to manage tasks such as invoice processing, ensuring accuracy and preventing mistakes
- Human resources Automations can be used across the HR team to manage things like payroll, assessing job candidates, and on-boarding
- IT IT teams are often swamped in daily activity like on-boarding or off-boarding employees. Deploying virtual machines, provisioning, configuring, and maintaining infrastructure. These tasks are ideal for automation
- Legal There are many important administrative tasks undertaken by legal teams that can be automated. Often, legal professionals are creating their own robots to help them manage this work. In legal and compliance processes, that means attorneys and paralegals can respond more quickly to increasing demands from clients and internal stakeholders. Robots don’t store data, and the data they use is encrypted in transit and at rest, which improves risk profiling and compliance.
“To embark on an automation journey, organisations need to create a Centre of Excellence in which technical expertise is fostered,” explains Mee. “This group of experts can begin automating processes quickly to show return on investment and gain buy-in. This effort leads to greater interest from within the organisation, which often kick-starts a strategic focus on embedding automation.”