The imperative to digitally transform means organisations cannot ignore the challenge, which includes addressing the scarcity of people able to effectively understand and address cyber risk
There are always two ways to look at change: as an opportunity or a threat. As we enter the true digital era, where artificial intelligence, big data and analytical services, biotechnologies, robotics and the Internet of Things are transforming the way we live, shop, work, communicate and even vote, concerns about cyber risks are growing, and organisations are finding these risks increasingly difficult to counter.
However, the imperative to digitally transform means organisations cannot ignore the challenge, which includes addressing the scarcity of people able to effectively understand and address cyber risk. A recent Frost and Sullivan report for Microsoft shows we’re already experiencing a global shortage of skilled cybersecurity professionals to counter the expanding cybercrime industry.
While the threat is real, there’s no need for panic. Organisations can not only maintain but actually enhance their security as long as they’re willing to invest in security now – especially in the “modern” security capabilities offered by leading cloud computing platforms such as Microsoft Azure.
Some people I speak to are still concerned about adopting cloud services, believing that they will be better protected by continuing to rely upon on-premises technology models.
Considering that there have already been more than 1,100 reports of security breaches in New Zealand businesses since CERT NZ was launched in April 2017, the idea that businesses can just dig deeper moats and build higher walls around their own ICT systems is demonstrably ill-founded. Kiwi businesses lost at least $3 million to cyberattacks in the first quarter of 2018. And that is just the direct, reported, cost. Including indirect costs, and assuming many attacks go undetected or reported, this means the real cost will be much higher.
Businesses that demonstrate a strong focus on retraining staff in cybersecurity will position themselves as more secure (and reliable) partners or suppliers and more attractive workplaces for potential employees as well as reducing losses
I’m increasingly discussing the question of “security posture” with Microsoft customers and stakeholders. The concept is simple - organisations can either adopt an “assume secure”, or “assume breach” posture. The choice is profoundly important in determining an organisation’s future security strategy, and security investment and operational decisions.
For Microsoft, the choice is clear. Across the entirety of our business we adopt an assume breach posture. Operating on the assumption that a breach has already happened, we implement a comprehensive “protect, detect and respond” approach to protecting all our systems, and our own and our customers’ data.
Using the industry-leading security capabilities built on our hyperscale cloud platforms, which now include advanced machine learning and AI capabilities, enables us to stay ahead of the ever-evolving cyber threat landscape. The good news is that our customers can take advantage of all these capabilities, which are simply not available on premises or with local outsourcers, when using our cloud services.
The truth is that traditional security models have never really been as “safe” as we thought. I’ve often illustrated this through the analogy of having the best security system in the world but leaving the keys under the mat. Our research shows that of 100 people who receive an email from an attacker, 30 people will open the email, 12 will open the attachment or click on the link in that email – and all will do it less than four minutes after receiving it.
Moving to modern security models and utilising Office 365 can significantly mitigate this type of risk. Ever more advanced AI-enabled security tools scan incoming mail for threats and filter these out before they even reach our inboxes. Of course, it’s impossible to entirely prevent malicious hacking, human error or other sources of cyber risk, but the effectiveness of these tools continually improves, thanks to the vast scale of cyber threat data that can be gathered via the public cloud and translated into security insights using data analytics. More insights lead to more proactive security tools that benefit us all.
Digital transformation means that organisations are increasingly enabling their staff to be more mobile, accessing systems on many devices, engaging with customers directly, sharing data and using universal systems across international borders.
Frost & Sullivan reports organisations have the capacity to investigate only around half of security alerts they receive on any given day
On the face of it, this simply provides more access points for potential threats. However, if organisations use cloud-based platforms such as Microsoft Azure and Office 365 to enable their transformation, they can actually enhance their overall cybersecurity. For example, organisations will benefit from using platform services that are always patched and, in Microsoft’s case, benefit from enormous economies of scale and scope.
But more than just technical measures are needed. If people are the weakest link in the system, upskilling existing employees in cybersecurity will not only create new opportunities for people but add an additional layer of defence. The Frost and Sullivan report shows we already need around two million more cybersecurity professionals worldwide. Very few organisations have a dedicated chief information security officer. The report also shows organisations have the capacity to investigate only around half of security alerts they receive (56 per cent) on any given day. That’s why it’s imperative to upskill existing staff to increase awareness of threats across your organisation, as well as invest in AI and cloud security.
The investment will be amply repaid. As digital transformation accelerates, businesses that demonstrate a strong focus on retraining staff in cybersecurity will position themselves as more secure (and reliable) partners or suppliers and more attractive workplaces for potential employees as well as reducing losses. The median number of days an organisation is compromised before it discovers the breach is variously estimated at 99 days up to more than 250. Skilled staff can potentially detect these breaches much faster, reducing the cost to the organisation, so the faster we train people to detect and counter threats, the more we can save.
Microsoft is investing more than US$1 billion in cybersecurity each year and, provided all businesses take the threat seriously and take the appropriate steps, we can all enjoy the benefits of a digital world. Yes, there will always be threats, and it will take time to fully train the new generation of cybersecurity experts, but by adopting cognitive technologies like cloud, AI and intelligent data analytics, as well as a real and sustained focus on upskilling staff, businesses will be poised for greater opportunities than ever before.
Russell Craig is national technology officer, Microsoft NZ
Get the latest on digital transformation: Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.