Reinventing Cybersecurity: Change the Rules of the Game

Protecting the enterprise has become dramatically complex: attacks are costantly growing in number, severity and sophistication, and so is the target surface, due to the interconnectedness of organizations, the adoption of new technologies and business models looking for new ways of increasing competitiveness and serve consumers.

As a result, cyber attacks continue to succeed, whilst organizations suffer from lack of visibility of their digital infrastructure, shortage of skills and limitations in threat data and actionable risk analysis.

Traditional solutions and approaches are limited in their ability to keep pace with them: they are often piecemeal solutions with no integrated view of network, endpoint, data center, cloud, web, IoT and industrial vulnerabilities, therefore incapable of efficiently monitoring multiple locations, branch offices, or remote sites.

Compounding the problem, there is a shortage of skilled security professionals worldwide, which makes it difficult to implement a security strategy, scale security as the company grows and find access to industry-specific expertise, ultimately delaying key business initiatives. Moreover, many teams don’t have adequate access to the threat intelligence required to deliver accurate and up-to-date vulnerability assessments, and a lack of advanced risk analysis data and tools can limit its value as well.

The reality is that organizations in many different sectors are often considering cybersecurity and its related spending as an operational cost, a compliance duty, which is probably why companies are struggling with their digital transformations. Less than 36% of the organizations thet have launched initiatives to adopt “digital enablers” (e.g. AI, automation, IoT, IIoT, 5G, advanced sensors) can be considered “digital masters”, despite the adoption of such technologies is widely recognized as a key factor to improve product quality, customer experience and satisfaction, workforce productivity, operational efficiency, and ultimately, competitiveness.

So, what is preventing the others from becoming digital masters? Cybersecurity concerns, paired with lack of skills. According to the Automation Use Case Survey by the Capgemini Research Institute, only 16% of organization worldwide are implementing automation at scale: a very low percentage, which stems from fear of cybersecurity and complex IT security requirements.

If we refer to Industrial IoT, which is considered another game changer, we discover that 37% of organizations have already adopted IIoT in all regions and sites where they operate in (i.e. full-scale adoption). In this case, why are organizations struggling to move beyond pilots? The answer is to be found in cybersecurity and data privacy concerns for two thirds of the organizations.

Digital masters, at the forefront of digital transformation, have recognized that cybersecurity is a competitive factor and not an operational cost or a constraint to the digital transformation of the society.

GDPR is an example of this: business operators that have approached the regulation only as a compliance duty are not exploiting its potential in terms of revenue growth and improved margins.

Consumers are already thinking far beyond regulatory compliance in how they evaluate and choose organizations: 56% of them want to be kept engaged by organizations and rewarded for their engagement, with a significant portion (22%) expecting organizations to go above and beyond GDPR requirements and placing a very high level of trust in those that clearly and visibly demonstrate their commitment to data privacy.

What is the prize for organizations? An increase between 9 and 14% in purchases from consumers who believe the organization is effectively protecting their data.

Another example comes from the automotive industry: 46% of autonomous vehicles early adopters would pay a premium of 20% and above over their current budget to manufacturers that can ensure vehicle and system data are safe from hackers. At the same time, 73% of consumers considers vehicle security as a barrier to the adoption of a self-driving vehicle.

By analyzing digital masters’ approaches and strategies, we can pick five key indicators that cybersecurity is a business enabler and a driver to the adoption of digital technology:

1) Define a comprehensive cybersecurity strategy

The cybersecurity strategy must be linked to the mission and strategic business objectives of the organization, with strong ties to the financial, customer, and internal perspectives. This is of paramount importance to explain the business impact of cyber threats to the top management and secure adequate funding to the cybersecurity program, which typically represent one of the major issues for CISOs, CIOs and CDOs.

2) Identify the real risks

Leading cyber risks requires a clear, complete and up-to-date visibility of the entire digital infrastructure stack and of business processes end-to-end.

It is important to keep in mind that risk management can become bottomless: it is therefore necessary to define what risks are higher than others and deserve more attention, budget and resources.

To this extent digital masters adopt threat modeling and cyber risk quantification methodologies that are incredibly useful to holistically evaluate cyber risk, assess the ROI of investing in specific capabilities and set the most urgent priorities in order to protect what matters. They also apply threat intelligence accurately, in order to know where the threat is most likely to hit, the profile of threat actors and the threat vectors they may exploit.

3) Secure the applications

Today, most of what matters to a business is delivered by applications. Customer experience, product enhancements, operational efficiency, employee satisfaction: the faster new applications are delivered, the faster the business is transformed.

The downside is that applications are also a major source of risk and vulnerability: they are targets for new exploits and attacks by cyber criminals. However, due to the pressure of new releases, security checks needed to manage applications and systems in depth are often incomplete, which leaves organizations open to attacks.

Cybersecurity must be embedded into any application and in the software development lifecycle, as well as in the supply chain: leveraging threat modelling, static and dynamic analysis and reverse engineering is an integral part of a secure by design development process, which can be also performed “as a Service” to save time and effort.

4) Invest wisely in people and technology

Cybersecurity service partners can provide organizations with access to a global network of Security Operations Centers for continuous protection, industry-specific and cross sector experience, highly skilled and dedicated teams, agility and scalability, cost-effective pricing and compliance: the result is a greater level of security, with improved competitiveness and no distraction from the core business.

5) Improve continuously

Adopting a Cyber Open Range, which is a physical and virtual environment where organizations can ensure a continuous improvement of their security teams, is crucial to be challenged with the latest and most sophisticated attacks on IT, OT and cloud infrastructures, test processes and security procedures and improve in readiness.

These are the key success factors of today’s digital champions, as well as the key capabilities and services that Capgemini is providing globally, leveraging on more than 4000 cybersecurity and managed services experts, a global network of connected SOCs, a proven expertise in IT, OT, IoT and cloud security, and a strong experience and knowledge of business processes in all sectors.

The article was drafted by Alessandro Menna.