The crucial relationship between an organisation and its customers has been increasingly defined by data in recent years as new insights breed better products and services. However, this has also meant fears of a damaging data breach have sharply elevated, making it a board-level issue and a concern across the whole business.
This has also forced organisations to re-evaluate their approach to security, risk and governance, which were typically viewed and managed as separate domains. New requirements, such as the European Union’s General Data Protection Regulation, have brought the areas of security and privacy closer together and empowered people to be more aware of how their personal data is being used.
In this new reality, keeping security, risk and governance separate is detrimental to an organisation’s overall ability to protect itself. Companies implement security controls to enforce appropriate activity, but knowing what’s appropriate and determining what needs to be done requires governance and a strong understanding of the risk levels.
“They’re all part and parcel of the same process,” says Travis Grandpre, senior director of security, risk and governance marketing at Micro Focus, the UK’s biggest technology company. “Security becomes the enforcement mechanism, risk becomes the measure and governance the decision-making. If you bring all of those teams together around that uniform process, you can be much more effective and start providing a lower-risk environment.”
Companies must also recognise the clear relationship between identities, applications and data, and how each can become a vulnerability if not protected as well as the others. When silos are prevalent across an organisation, it can be easy for an individual with a background in DevOps, for example, to only think about application security.
We have some of the best, innovative technology in the marketplace, spanning not just security, but many other parts of the enterprise
By neglecting to think about the data the applications operate on or the users who interact with them, they can end up running into different kinds of security challenges. Making a change in one area can also have an impact on others that are out of view. “If they’re not careful, they can set the organisation up to be blindsided,” warns Mr Grandpre.
In the rush to meet the demand for greater security, venture capitalists have inadvertently heightened the likelihood of such silos in an organisation. Having injected more funding into the security industry in the past year than the last four combined, the result is an abundance of point solutions that tackle very narrow pieces of the security problem, creating even greater integration challenges and making it difficult to achieve a holistic view.
By providing perspective and integration across not just security, risk and governance, but the whole enterprise, including DevOps, hybrid IT and analytics, Micro Focus is well suited to organisations that wish to eliminate harmful silos and achieve a well-rounded approach to securing their business.
“We have the ability to connect all these teams, solve new use-cases and couple different businesses and buying centres, which allows organisations to bring in technology that’s been built to solve security challenges in a much more impactful way than the many point vendors out there in the market,” says Mr Grandpre.
The benefits of bringing together security, risk and governance spread beyond protecting the organisation from threats and ensuring data privacy for customers. Cybersecurity is now so engrained in the success of an organisation that achieving a well-rounded approach also enables new opportunities for businesses to grow.
“It gives you many ways to drive disruption and achieve even greater heights, while at the same time defending against breaches and keeping data private,” says Mr Grandpre. “We can help customers deliver a bright digital transformation for their future without worrying about incurring greater risk.
“Over the last 40 years, Micro Focus has proudly built this very successful business from taking a lot of amazing technology, some more mature and some new, and making it work for where our customers are going. We have some of the best, innovative technology in the marketplace, spanning not just security, but many other parts of the enterprise.”
For further information please visit www.microfocus.com/srgtimes
Q&A: Culture eats strategy for security
Nick Nikols, vice president of security strategy at Micro Focus, says building a risk culture is crucial to keeping secure in today’s threat landscape
What is the danger of overlooking people and process when protecting an organisation from cyber-threats?
Technology is a tool the process uses, but it’s people that make the decisions. You end up having multiple levels you're dealing with, from those running the business to the employees operating all of the necessary functions within the organisation and the customers being interacted with. Understanding that relationship relative to the processes and how the technology can facilitate their interactions is critical. You can't separate the three; they’re integral to any successful deployment.
What’s your advice for building a culture where technology, people and process interlink most effectively?
You need to have a certain level of transparency as to what's going on within the business. When you're dealing with technology, or even when you're dealing with processes, that visibility into the current state of play elevates the understanding of the overall risks. Having the right kind of analytics facilitates this because additional insights and awareness help change behaviour and impact the efficiency of how people interact. The culture builds a much more productive environment because everybody has a clearer picture of the risk of their individual activities and it becomes more natural to do the right things.
How can organisations ensure their people aren’t their biggest vulnerability?
We've seen the biggest success when companies place more emphasis on career growth and fostering people to develop and stay within the organisation. By treating them as a long-term asset, they can keep growth going as far as addressing security and risk, and the things around culture that can be really impacted. Having said this, I don't know if it's ever possible for a company to be so risk focused that everybody watches everything they access and share, so technology plays a big part too. You can look at privileges and monitor access, keeping a much more granular look and avoiding a situation where no one really understands what’s going on.