And Cybersecurity, Oh! It's IT Homework
Rubén Bernardo Guzmán Mercado
IT Cordinator, Information Technology and Cybersecurity Specialist, IT Manager, Think outside the box!!!!
Today the issue of cybersecurity no longer takes us by surprise, neither the news of violations, nor the enormous amount of money that is invested to be protected, nor the decisions that must be made to maintain business continuity, now it is The most important thing is what position we are going to take to define the strategic cybersecurity plan, as we saw in another article, the figure of the CISO was born to give rise to the person responsible for maintaining the health of the business as far as its security is concerned, in 22 years of experience I remember that around the year 2000, there was a figure called the Information Security Officer. I'm going to be honest with you, at that time I came to think that it was an exaggeration, however, today, it is a necessity.
Well, the years have passed and during this period I witnessed how technology grew by small steps first, by telling them that at the end of the nineties there was almost no antivirus, they gave it away, at that time if there were malicious entities, they were also limited in the same way due to technology and the diffusion of knowledge, however, they did not stop, and they also grew, today the sophistication of the attacks is impressive, years later technological development in both software and hardware accelerated, costs fell, increased access to programming information and communications to a stressful level.
The pandemic and technology arrives with remote work, enabling the services to continue their growth, even with the economic slowdown due to the circumstances that lasted during this world event, however, it also allowed the attackers to refine their methods, increase their tactics, and they will more easily find weaknesses to violate entire networks.
In this context, I can tell you:
“This issue can no longer be just an IT problem, of course it is a risk management problem that concerns the entire company, considering that the precious value of data is critical to the business”
Today we protect thinking that we have already been attacked, well it is a mechanism that is used with Zero Trust in cybersecurity, however, for some threats it is known that cyber risk must be managed at all levels of the company, even the reception room management or board of the company.
The IT debate begins with our information security strategy, which must be based on four pillars: an architecture we can trust, training and awareness of officials on the subject of security and agility to meet business needs.
Cyber threats fall into one of two categories: traditional threats, such as malware and its variants, or highly sophisticated Advanced Persistent Threats (APTs), thus it is necessary to develop and maintain strong security defences, using a combination of technology, tools and processes, to defend against most attacks, as managers of the area we know that it is crucial that we install patches in time and form in the services in the systems of the access equipment such as Router, Firewall and Gateway, as well as operating systems of servers, be it Microsoft Windows, GNU/Linux; Apple OsX, UNIX, desktop, also for services like website, setting rules like blocking users after multiple failed login attempts, we need to filter email attachments, inspect incoming documents and leave the cloud, the antivirus software (EDR) must be constantly updated and centralized in an administration console (XDR) to verify network statistics and view computers that may be vulnerable or that are being attacked.
From my own experience, I know that the human factor is definitely the greatest concern in the absence of awareness about cybersecurity, let us consider that approximately 90% of all data leaks are caused by individuals, through both intentional and involuntary activities, it is Attackers sometimes break into the organization's network through targeted phishing attacks and social engineering campaigns that discover user passwords.
I recommend specifically incorporating knowledge and diligence about cybersecurity in our culture, we must already consider it as a foundational element of any global cybersecurity strategy, and the key is to make security awareness important to the people, executives and officials who learn differently, and require different approaches to care and understand the value of security, I have found myself with a detachment and apathy to know in terms of technology what can be detrimental to the business, so as an IT leader I consider reinforce security awareness campaigns that we may be exposed to by providing creative and concrete ways to continually engage business leaders.
For example, establishing training workshops, reinforced with monthly internal newsletters, interviews with executives, reviewing risks, simulated tests of threats and vulnerabilities, we must strive to make it also simple and adjusted to the work profile, with this we will go a step further by informing to our officials on how to apply these lessons to their personal lives, together with the recommendations, articles, and blogs that can be shared with family and friends of the employee or executive, actually to any public, we can find out, also at home, with my children's friends, neighbours, etc.
“The important thing is to help prevent what is humanly possible and protect ourselves so as not to fall prey to threats; adding a layer of protection to the multi-layered security approach”?? ? —Rberny 2023
As an information security professional, he also participated in meetings to speak clearly with our partners, with them, I explain the value of security, justifying what can happen, if any investment or expansion of policies is necessary, without thereby rendered inoperative, I continually answer questions like:
It is imperative to communicate how built-in security controls will protect users, data, and company intellectual property. It is my responsibility to learn how risk profiles vary across business units and service organizations. I recommend forming an association with each business unit to develop the appropriate balance of risk and security controls.
This is where the structured information security management framework becomes critical, however, it allows aligning the security of key information with business strategy, a standardized risk management approach, consistent application of security knowledge and appropriate investments in information security to support organizational priorities and not stop being competitive in the market.
领英推荐
Innovation and resistance to change
Innovation is the result of a complex and interactive process in which technologies, human resources, professional training, organizational capacities, designs, and other intangible factors of business activity are involved. It is the art of transforming knowledge into wealth and quality of life. In this way, said innovation appears as an essential condition for organizational expansion, in such a way that technological change becomes the impulse behind sustained growth.
In contrast, resistance to change appears, which turns out to have a greater social than technological impact, having to combat the paradigms of the people who make up the business, since this entails a change in their work routine.
It is difficult to advance changes in an organization or company if these are not supported by the values, attitudes and behaviour of its people; Therefore, commitment is important when starting them, I mean to the extent that the worker internalizes and becomes a partner in these changes and feels more protagonist of the processes and not a victim of them.
In this line, information technology has been the driver of changes in the business and in its planning, I can tell you that I have managed to successfully implement it in our cultural patterns, as well as in its development strategies, therefore, the company is more competitive and its processes more efficient, I am sure that we should not think that it is one of those processes at once, nor that it is another fashion or technology, we must take into account that others may be taking the lead, leaving us out of the competition, we must consider its adoption in a timely manner by all members of the company, thus achieving the competitive advantage that our products or processes require.
Is resistance to change an IT risk?
I believe that it is a risk for IT and for the entire business, so it is interesting to study and analyse the reactions and responses of the staff involved in the adoption of a certain information technology, especially speaking of instilling a culture of caring as If we use the company's computer resources, raising the aspects that should be reviewed in their equipment and systems, we will have more positive than negative achievements from the implementation of cybersecurity, not only from the point of view of the process, but also from the people, being the generational difference, the key point to facilitate this adaptation, is easier for young people.
I consider it prudent to establish the impact that innovations have on the people who are part of the business, the reactions involved in the adoption of a certain technology, the paradigm shifts that cybersecurity involves and the need for general participation, of course also the importance of information technologies for the creation of competitive advantages in an increasingly globalized market.
We will have as a final reflection that technological changes must be adopted in conjunction with the staff and in accordance with the interests of the company, since otherwise it becomes a risk in the implementation of information technologies, having additional expenses, which we will not be able to avoid in a bad planning of resistance to the change.
This time we saw:
We do not go into a technical level, nor in detail about cybersecurity, this is only with the intention of creating awareness, to have a vision from the profile of the person in charge of the IT area.
Absolutely, no one is exempt from an attack, it does not matter who you are or how much you have, it is possible that they have already visited you, and you have not even noticed, those are the best because they never make themselves known.
Some will agree or dismiss the ideas presented, however, they have worked any well every time I have implemented them, I have always thought that if people are aware of what is happening or how to avoid if something occurs, perhaps if they suspect an event, because with your participation it helps us to help you in a better way.
I welcome new contacts around the world, I want to express how satisfying it is to contact you, that we exchange ideas and create synergy in this area of so much responsibility.
Thank you very much, for your time, your friend,