By Jim Zuffoletti, CEO & co-founder of SafeGuard Cyber
Estimates suggest that by 2021, cybercrime will cost the world $6 trillion every year. This will constitute “the greatest transfer of economic wealth in history,” making cybercrime “more profitable than the global trade of all major illegal drugs combined.”
Too many enterprises fail to protect themselves adequately because most of them are approaching cybersecurity in the wrong way. They are recapitulating Web 1.0 models of information security, in which security is applied as an afterthought, bolted on to a process or technology solution.
This approach is inadequate. Modern forms of digital risk are too sophisticated and too dangerous. Instead, to simultaneously drive business growth and properly protect themselves, forward-looking enterprises need to implement a Security by Design approach. This approach enables companies to build comprehensive security into the foundations of all enterprise teams, processes, and behavior – empowering organizations to embrace new digital tools with peace of mind.
Security by Design: Trading the Reactive for the Proactive
The security perimeter is gone. Today, every aspect of the business is tied to cloud SaaS applications and mobile chat apps that live outside the traditional perimeter. Marketing makes constant use of social media apps; customer data is stored in a cloud-based CRM; internal communications are conducted over collaboration platforms like Microsoft Teams; sales teams might even leverage WhatsApp and WeChat to talk to prospects. An enterprise’s daily operations are conducted in the cloud, and more importantly, that’s where data resides, too. Business communications contain customer data, IP, and more.
With a Security by Design approach, you react to this reality by constructing a flexible network perimeter around every end user. You depart from the 64% of businesses who don’t include the security team in discussions of technology-enabled business initiatives. Instead, you start with understanding what tools are needed by all the people within the enterprise, and then you apply security to all of those tools – at the end user level. You create a tech stack and a set of practices that mean security is woven through every part of the business.
Traditional security tools are not built to deal with a post-perimeter, multi-channel security landscape. Because of this, they can only offer a reactive security stance. Events like these become commonplace:
- Information security finds out that an employee opened a malicious link sent over LinkedIn, and malware has transited from their home computer over the VPN. They rush to try and repair the damage.
- HR finds out that a group of employees is bullying another employee over Slack, and has to go and investigate – weeks after the issue started.
- Marketing suddenly finds themselves locked out of the company Instagram, and only then do they try to roll out an account takeover response plan.
- A sales rep discovers a fake website that has been up and running for months, and belatedly begins the long process of trying to get the website taken down.
- A compliance office discovers that a rep has been having a noncompliant conversation with a prospect, and can only try and correct the behavior after the fact.
Everything is reactivity. However, if you are only trying to deal with incidents once they have already occurred, you are setting yourself up for controlled failure. Eventually, one of these incidents will be serious: a ransomware attack, IP theft, or something else that can seriously hamper growth.
By contrast, a Security by Design framework establishes protection from digital risks prior to their emergence as a threat.
Security by Design = Growth by Design
The real beauty of Security by Design is that the approach can have a material business impact. A bad ransomware attack, or IP theft, can be devastating, and seriously hamper ambitions of growth. To be productive, reach customers, and stay competitive, businesses need to embrace social media, collaboration apps, and messaging apps. But without the right protections, in embracing these cloud channels, they are rolling the dice on the integrity of their enterprise. Their digital transformation is risky, and contains blind spots.
However, once security is built into an enterprise’s approach, new tools and platforms are secure from the start. This immediately creates secondary business benefits. When you are proactively monitoring your cloud channels, entire new datasets are generated. These can then be piped via an API into a business insights engine. Compliance issues can be monitored in real time, at scale, across various languages.
Security by Design is an approach that powers business goals. Security teams have become accustomed to being seen as the department that wants to put the brakes on sales and marketing’s embrace of new tools – but with this approach, they can do the opposite. They can greenlight new tools, and work with growth teams to optimize the output of those tools so that they become a part of the revenue engine.
One layer down, the business benefits of Security by Design compound again. Alongside staff members, consumers also value security. Individuals are tired of data breaches, and solemn promises by enterprises to do better next time. As Ernst & Young put it, “when data confidentiality, integrity or availability are compromised, or products and services cease to perform as expected, trust built over years can be lost in a day.”
Being able to present yourself as a company that is prioritizing security in active and innovative ways is a major competitive advantage. By moving toward a proactive security model, you both better protect your company and your employees from attacks – and better satisfy customers.
Let’s revisit how a Security by Design approach changes the business examples cited above. When you trade a security as bolt-on approach for a Security by Design approach, you move from a reactive stance to a proactive stance:
- Information security procures technology to enable employees to use LinkedIn. The technology immediately detects any malicious links, flags the posts and intercepts the content – before anything malicious can be clicked on.
- HR procures technology to protect the company’s expanded Slack environment. Inappropriate conduct is immediately flagged, and HR can intervene early and stop the problem from worsening.
- Marketing and security defined the roles and responsibilities for social media and fake accounts. Using a cross-function approach, Marketing detects an account takeover, and immediately retakes control. They alert security to the incident.
- Sales can work with marketing and security to initiate a takedown of any fake account. Such accounts are detected by technology that actively crawls the internet (both surface and dark) around the clock.
- A compliance officer is notified that a message sent by a rep might contain an issue, because compliance and sales have agreed on what channels need monitoring. The message has been quarantined so it can be checked before it is allowed to be sent.
The Future of Security is by Design
A Security by Design framework enables enterprises to properly protect themselves, and move from a reactive stance, where a crisis is always around the corner, to a proactive stance. Security by Design is the only sensible approach in an era where so many business-critical tools live outside the traditional perimeter, and modern digital risks are so numerous, complex, and sophisticated.
Security by Design is also the only sensible approach for enterprises that want to do everything they can do to drive growth. When a Security by Design framework is properly implemented, security becomes a driver of business success. Executives and board members can view digital security as achieving a positive goal that helps drive business growth. Security becomes synonymous with revenue. When properly safeguarding the organization is understood as simple financial prudence, including security at the inception of a product or service becomes an obvious best practice. This view of security is the future.
About the Author
Jim Zuffoletti has been a founder of start-up organizations as both an entrepreneur and an intrapreneur for the past twenty-five years. Jim is CEO and co-founder of SafeGuard Cyber, a digital risk protection company securing brands, VIPs, and team members in the new world of social media and digital communications. Jim was previously CEO and President of OpenQ which enabled pharmaceutical, biotech, and medical device companies to discover, regulate, and leverage the social networks forged with outside influencers and researchers. Jim Zuffoletti can be reached at our company website at www.safeguardcyber.com.