Not too long ago I was asked to be on a roundtable to discuss security. We had a good conversation about why it is important and if enterprises are doing enough to fight the bad guys. Gestalt IT hosted the conversation and you can listen to it below or from their site (https://gestaltit.com/podcast/rich/security-cant-keep-up-the-on-premise-it-roundtable/). For the most part, my colleagues were taking the side that the bad guys are always finding ways in and it is the enterprises that are playing catch up. However, I disagree with this premise.
Security has not always been at the forefront of the conversation. This is evident in the products that are used by companies. Products like Windows, Office, and Quickbooks were built originally to offer a solution. For instance, financial people needed a way to chart calculations and products like Lotus 123 and Microsoft Excel were created. But security was not designed in from the beginning. Eventually software companies started catching on and added security but it seems to be more of an add-on usually.
In the past few years, I have seen many companies change this discussion. Companies that I have worked with have started taking the security discussion seriously. This includes hiring a person to concentrate on Information Security. Why is this? Put simply, the cost of that one person is far less than a single breach and C-suites are starting to understand this. For instance, back in 2017 the Pharmaceutical company Merck was hit with a Cybersecurity incident that cost them well over $150 million dollars. While this is an extreme example, it is a really good one to other companies. No C-level staff member wants to explain to shareholders a loss even a fraction of that size that could have been mitigated.
It is now 2019 and I am seeing many companies listening to examples like Merck’s Cybersecurity incident. They are hiring Information Security staff to help find the holes in networks . Simple concepts like patching and closing firewall holes help. But that is not all that is being done. Tools like antimalware agents on end-user computers help to find malicious software when they are launched accidentally. Additionally, companies are spending money on training end-users to identify security events so they never get in even accidentally. Training is not a panacea but it definitely helps. Plus, as companies make the move the cloud, security becomes even more important.
Information security is not perfect and bad events can still occur. But companies are recognizing that they need to spend money on security. In fact, some companies even use their security programs as a selling point. Additionally, governments are starting to mandate security (i.e. regulations like GDPR) so it will become more prevalent. In the future, I expect all companies to either have a good security program or no longer be in business. As always, let me know if you think differently.