In the years 2011-2016, 160 security breaches are documented that affected at least 3.5 billion records. Of those security breaches, 111 were from hacking–or about 70 percent. For all enterprises, it is no longer a question, if cybersecurity measures should be implemented, but when and how creating a new urgency in enterprise IT and throughout the organization.
"The best way to address the trends over the next five years is to consider cybersecurity from a holistic perspective and to consider how a solution fits into the enterprise value chain end-to-end"
Investment dollars are starting to funnel toward cybersecurity, but there is hesitancy as well. Organizations are realizing they need an enterprise cybersecurity roadmap to assess what is important, prioritize it, and implement security measures in a structured, holistic methodology that executes well but tries to minimize disruption and risk to the business. Until recently, security software was viewed as the silver bullet to protect the organization. But today, addressing vulnerability by software alone isn’t enough – solutions must include the people and processes as well. The initial business requirements for the cybersecurity roadmap must address new questions such as how do we establish parameters and right size to meet organizational needs? How do we measure and analyze to manage performance of our cybersecurity efforts and ensure success? How do we implement needed changes to people and processes in a minimally disruptive fashion? Top management is now aware of the need to look at the technology, people and processes as a holistic, integrated system that requires security at all points of access.
Similarly, the roles of Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are evolving. The role of the CIO/CISO can be used to create awareness and understanding of issues for the Board and community levels–to communicate what’s needed and demystify it. By conveying the vulnerabilities, risks, timing, resources, and practical urgency of the enterprise, CIOs and CISOs can help leadership make an informed decision about cybersecurity. The chief officers need to act as mentor and coach to help leadership understand the weaknesses, the resources needed, and ensure appropriate attention is paid to all areas across the organization. For example, technology is not only managed by the CIOs/CISOs now. At least 30-50percent of a technology portfolio is now managed in business operations and is not under a CIO/CISO’s purview. It may be an end user application which started on Excel, moved to Access and is now stored on a server under a desk somewhere or even in the data center, but IT doesn’t know what it runs, how it runs or how it was developed. The cybersecurity roadmap must address the ancillary technology tools, third party vendor tools, and enterprise systems holistically. The CIOs/CISOs are in the perfect position to go engage with stakeholders or vendors and understand vulnerabilities and safeguards, then update the roadmap and provide an assessment report. To achieve a strong disposition toward cybersecurity requires multiple roles and stakeholders working together to identify vulnerabilities, prioritize and plan the steps needed to make everything secure.
Investing in talented IT professionals is a broader issue. At McKesson, challenges focus primarily on two areas – bringing in new professionals to ensure we are continuously refreshing the talent pool with the most up-to-date skills, and energizing our current talent pool to ensure the skills of our core workforce don’t become stale and reduce resistance to change. Efforts are made to attract the younger, more junior professionals and spark their interest in working with McKesson and with the longer-term employees; they are proactively moved into new roles rather than allowed to continue in the same role indefinitely. The movement helps energize the tenured workforce and facilitate continuous learning. McKesson also provides opportunities for growth through collaborations with colleges who provide programs and opportunities to train in new technologies.
The best way to address the trends over the next five years is to consider cybersecurity from a holistic perspective and to consider how a solution fits into the enterprise value chain end-to-end. Currently, there are many point solutions and there are many piecemeal approaches, but new thinking suggests addressing the people and process side of the cybersecurity equation and the dangers of social engineering. It’s only a matter of time before innovation will create something where large organizations can address their vulnerability fairly easily.