Awareness. You must have stumbled across this word hundreds of times when reading about the issue of cyber security. The main point in many articles is that it is quintessential that today’s executives and decision makers in the private and public domain realize what is at stake. Because this awareness is the start of a safer world.
Well, I’ve got news for you. Lack of awareness is no longer the issue. Media reports on cyber incidents have been all over the place in recent years and these have served their purpose. As a consequence almost every executive now seems to be convinced that organizations need to invest in prevention, detection and response measures in the cyber domain. Cyber security has clearly secured a prominent place on the board agenda. Moreover, it is satisfying to note that many executives fully realize that acting out of fear for the consequences of an incident may not be the best way to react in this domain. A much better strategy is to build an effective risk-based approach, thereby taking a more proactive attitude.
So much for the good news. It is now time for the next step: moving the issue from the board agenda to their to-do list. In other words: it is time to take action.
This is perhaps the hardest part of the cyber security challenge. We know what is at stake and we have figured out a vision on the issue. But the litmus test is: do we know what action to take? The pressure is getting higher, not only because threats are very real but also because oversight bodies, the audit community, policy makers and other stakeholders pose higher demands than in the recent past. By the way, this does not only apply for private firms, but also for government bodies and sector initiatives.
I see promising initiatives all around me that prove our ability to act. Not only because organizations deploy state of the art tools and programs, but also because they start to focus on what the end user must do in the domain of cyber security to take strong actions in order to prevent cyber security incidents happening in the first place. One example is that gamification makes it more tangible for them to know how to act and how to spot dangers. In addition, gamification also helps to move cyber security from “fear” to “fun”. At KPMG we recently launched an interesting platform with our partner G4S in this respect.
Another promising field is that we are starting to find new ways to solve the classic paradox between security and ease of use. I am convinced that we should put more focus on the ease of use for the end-user when it comes to protection measures. End-users will simply not be willing to adapt to security process or routines if they feel that it is too much of a hassle to comply with these measures. For instance, there is quite some potential in using face recognition and other easy to use approaches to overcome the hurdles of the infinite numbers of user-ids and passwords.
Another area is not in the field of the individual user but is a more centralized issue. I’m talking about threat intelligence. Smart combinations of data from different sources offer us valuable insights for better anticipation of emerging threats. Getting the data is often not the issue. Spotting the valuable information in this ocean of data and translating it into actionable results is the real challenge. Again, we are witnessing real progress in this area lately.
To conclude, I am pretty optimistic about the progress we are making. Of course we will never reach the Walhalla of a world without cyber incidents. But we are well on our way to turning this issue into a controllable issue, controlled by cyber resilient organizations. I hope the articles in this edition of Compact contribute to this.