Above all else, cybersecurity must adapt

The first questions that should be asked by any business around its security intentions is, "what are we actually in business to do, how do we create value, and how does security help us get to where we need to, to be successful?"

Being clear about these objectives is so important because the debate and noise around security is intense - and there is a risk that this noise drowns out the reasons why an organization needs to be secure in the first place.

At the heart of this is a core concept for corporate cybersecurity: that the security must be adaptable.

I call this an Adaptive Security Fabric. Being adaptable means building adaptability into the security strategy from the start, so that the strategy can then respond to external changes, threats or opportunities, and has intrinsic adaptability built in.

Perhaps most importantly, Adaptive Security Fabric should be agile in order to serve business unit leaders inside the organization

Multiple inputs to security

In creating an Adaptive Security Fabric, corporations need to consider a range of inputs that go beyond the IT and network access aspects. The strategic priorities of the organization (something I discuss in my article on striking the balance between security and value), the human capital inside the organization, the key applications and systems that are used through the company (which can include non-IT systems such as robots or environmental control systems), and business processes are all inputs to adaptive security.

Where an organization is in its digital transformation is also an important factor. There is, for example, a difference between being fully in the cloud, operating a hybrid cloud infrastructure, transitioning to the cloud, or still operating primarily outside the cloud (which is important for certain businesses and industries, in particular of government, defense or medical research).

The specific security considerations, including the eventual solutions, then sit on top of these adaptive foundations.

With this Adaptive Security Framework in place, organizations can assess what security tools, solutions and controls are needed, the roles they have, and how one set of solutions for one part of the organization might influence or affect those in another.

Cyber security in context

In defining an Adaptive Security Framework, context is important.

For example, most knowledge workers around the world will use familiar office applications, with some using additional applications relevant to their particular company or industry. Others will use specialist applications such as advanced manufacturing or design software, or advanced data analytics solutions, as examples.

If 80% of my workforce is using generic applications, what I need to be focused on is making sure that the data and applications they are using are secure, and on having email security policies and cloud application security tools in place. What's important here is the quality of service to employees, and the quality of output to their customers.

If my organization is in a specialist industry, perhaps with IP of extreme value, my focus will be in different areas, putting an acute emphasis on making sure credentials and privileges are maniacally managed.

In both examples, organizations often don't factor in the quality of service as defined by how quickly and easily users can access data or applications. Having an adaptive, tailored, flexible approach to security, seen through the lens of the value the organization creates, delivers a better security solution, one that works to support the organization rather than to inadvertently lock it down.

Different organizations in different industries also have different relationships with external partners. Any company in manufacturing has an incredibly important relationship with, and relies on, its supply-chain partners, for example. The security posture for this type of organization will be different from a financial instruction.

Each has its own security needs and security frameworks.

Each has different security threat surfaces.

Each will create a different Adaptive Security Fabric.

Rebuilding trust

As businesses rebuild, and as many continue to transform, management teams and boards are questioning whether their IT teams can deliver at the speed they need to. Businesses are pushing their digital transformations at speed, and they need to trust that their IT teams can deliver.

This is where adaptability comes in.

Being locked into an IT or security infrastructure, whether by internal policy or a reliance on a particular supplier or application, creates new security pressures and risks. The security of the organization slowly becomes irrevocably linked to the security of the application, like an octopus slowly enveloping its prey. It might not be a deliberate strategy by either party, but it's often discovered only when it's too late to react.

That's why we're seeing a massive shift to consumption based usage, not just with newer companies coming to market, but also with legacy companies seeking to move quickly to?service models that can adapt to the business.

In a world in which businesses paid out US$1.2 billion in ransoms over the past two years, and in a world in which absolute security is in reality not possible, having an Adaptive Security Fabric can help in creating the security baseline to support an overall business and organizational strategy.?It supports businesses in what they want to achieve, and one that can change as organizations - and the threats they might face - change.

The crux of an Adaptive Security Fabric is striking the balance between wanting to be secure, and staying able to take advantage of new opportunities.

It's about allowing the future millennial workforce, digital natives who simply won't accept security limitations that constrain their work styles and lifestyles, to collaborate securely and remotely.

It's about adapting the organization's security needs to its large macro environment.

And it's about creating a security frameworks that is agile, and that can keep up with the organization's needs.

?

?

?