Cyber security is now critically important and will become more so through the “digital decade”. Whether a small business or Fortune 100, one’s business resiliency depends upon being able to withstand and recover from a variety of scenarios including a cyber disruption. Cyber attacks are increasing in frequency and broadly impacting businesses through extended downtime to core business processes. This article will explore three knowledge points relating cyber security to business resiliency.
Point 1. Why Cyber Security Is Important
The purpose of cyber security is to protect data as it becomes more and more valuable and critical to businesses.
- Key to e-commerce and direct-to-consumer sales and marketing. Projections offer that by 2025 data stories will be the predominant form of consumer analytics
- Valuable to the business as an operations value-add and a deliverable sold to other companies
- Fuel for artificial intelligence and machine learning (AI/ML) which, by the end of 2021, will generate 30% of net new revenue growth
- A core business function that involves Chief Data Officers in setting corporate goals and strategies that can increase overall business value by a factor of 2.6x
- A competitive advantage as it is subjected to more automated and scaled data classification and data modeling, which enables earlier identification of trends
The global big data market from 2018 to 2022 has a compound annual growth rate projected at 13.2%, from $168.8b to $274.3b USD, according to Statista. Consequently, more and more organizations view their data as valuable and apply more ways to extract value now and for the future.
Because cyber security is more inclusive than data (or information) security, it is important to know the distinction.
Data security includes the protection of data from disruptions such as unauthorized modification, destruction, and disclosure. Data security provides that protection through processes such as backup, encryption, erasure, and masking. Data security focuses on the data itself as well as on means of access to the data.
Cyber security concerns the bigger context than just the information. National Institute of Standards and Technology (NIST) defines cyber security as
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Data is the essential content upon which so many business functions and successes depend. Data security is important. However, the technology, the systems, and the processes that operate on the data make possible the acquisition, analysis, modeling, and application of the data. By exploring the breadth of cyber threats and risks, we will see more clearly the significance of cyber security.
For clarification, cyber threat and cyber risk are not the same things. NIST distinguishes the two definitions as:
Cyber Threat: any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation); organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Cyber Risk: depending on cyber resources, i.e., the risk of depending on a system or system elements which exist in or intermittently have a presence in cyberspace…….risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions
Simplified, a cyber threat is the potential cause and cyber risk is the possible effect.
Both cyber threat and cyber risk are becoming increasingly significant proportionate to the increasing value of data and technologies that analyze, manage, and apply data-made decisions. The importance of cyber security to protect against the increasing amounts of threats is obvious.
Dell Technologies Digital Transformation Index disclosed that one-third of global business leaders doubt their organization’s ability to protect their employee data (29%) and their customer data (33%). This 2018 report looked to the future in reporting that 49% expect their organizations to struggle with effective cyber protection in the next five years.
The specific cyber threats generalized in the NIST definition include malware, data wiping, data locking, server disabling, insider attacking, backups compromising, and data theft. The protection required against those is extensive, and the primary reason is the cost of disruption, either from data loss or from downtime.
Cybersecurity Ventures expects cybercrime costs to grow by 15% annually through 2025. The estimated global cost will have reached $10.5t USD, up from $3t in 2015. These costs include loss of data and money plus the cost of disruption to the business.
In 2019, interviews of 1000 IT leaders revealed that 82% of global organizations had suffered at least 1 disruptive event, compared with 76% in 2018. The average cost of data loss was just over $1m and the average cost per disruption was $810k. Figure1 lists the causes of each.
Point 2. What Cyber Security Provides
Having a cybersecurity program that offers a known and holistic approach can increase an organization’s confidence in its ability to reduce downtime to critical business functions after a cyberattack. The NIST Cybersecurity Framework sets such a strategy across five functional areas:
The framework (Figure 2) indicates the five actions that warrant attention.
- Identify: itemize and justify the specific elements that should be protected and why
- Protect: determine the specific protection elements needed and how to implement them
- Detect: put in place strategies and actions that quickly and accurately detect potential cyber security breaches
- Respond: plan the actions to apply in the event of a breach: communication, analysis, mitigation, improvements
- Recover: build thorough recovery plans that include improvement contingencies and thorough communication.
A holistic cyber security program includes all five components. Considering the relative value of a self-developed or vendor-provided cyber security program, the combined elements of cost and expertise demand attention.
The majority of IT decision-makers agree in a Dell Technologies survey that emerging technologies pose a risk to data protection (61%) and that those technologies create greater complexity for data protection (71%). Consequently, 62% of those IT leaders agree that their current data protection efforts are insufficient.
In 2019, 80% of those global businesses used multiple data protection vendors. In a 12-month period, those companies using multiple vendors averaged 12% more data disruption and their costs were typically five times higher than those using only one vendor.
Point 3. What Cyber Security Requires
The rapid expansion in the global use of data utilizing new technologies is producing new, expanded skills requirements. The demand for new skills is outpacing the supply of skills in the current workforce. The 2020 report by the International Systems Security Association reported that of their membership of cyber security professionals
- 70% believe their companies have been impacted by the “global cyber security skills shortage”
- 93% believe that shortage has grown worse (45%) or not changed (48%) in the past four years
- 65% believe their companies should provide more (36%) or significantly more (29%) training for cyber security professionals
The shortage is not merely in the number of qualified cyber security professionals. It also includes additional skills needed by those employees already in place. The demand for upskilling spans a broad range of disciplines, such as these reported by CSO magazine:
- Risk ID and management
- Technical fundamentals
- Data management and analysis
- Development Security Operations (DevSecOps)
- Threat hunting
- Interpersonal skills
- Business Acumen
Business and interpersonal skills appear on the list because cyber security is no longer only a technological concern. The role of the cyber security professional now reaches into disciplines throughout a business. IT professionals seeking to specialize in cyber security require training that spans IT and cyber security frameworks. Dell Technologies’ cyber security on-demand training package provides such training and information: from security fundamentals to IT and NIST frameworks to practical training on the Cyber Recovery solution.
Call to Action
To take the necessary steps toward cyber security for your company or knowledge and skills for your growth as a cyber security professional, check out any of these resources.
- Dell Technologies Cyber Security on-Demand Training Package
- Dell Technologies Global Data Protection Index
- NIST Framework for Cyber Security, v.1.1
- The Life and Times of Cybersecurity Professionals 2020
View this On-demand Session recorded during Dell Technologies World, May 5-6, 2021, “Increase Cyber Resilience: Recover with Confidence after a Destructive Attack“. We can help you be ready for whatever comes next.