Security is not a problem to be solved, but a way of thinking. For a company to be secure, every employee needs to have a security mindset, and security thinking must precede every action.
Or, you could take a different approach. Trust all family members to check that the doors are locked when they leave home. Promise to keep an eye on your neighbor's yard for any suspicious activity while they are on holiday, and they'll return the favor when your family is traveling.
The basics of thinking about business security are not very different. You can consider security as a problem that can be solved by building strong walls around your business. And if there's a breach, just build higher walls next time to keep the intruders out.
But if there's a careless worker who leaves the door unlocked when leaving your fortified business, no amount of physical protection will help.
A more sustainable approach is to think about security as a continuous and all-encompassing process that involves every action, employee, and stakeholder in your company. You shouldn't stop at getting just the physical security right. Everyone who works with your company must have a security-oriented mindset, just like in software development it's essential to design the product to be secure from the ground up, i.e. to have security by design.
What do you do to build and achieve this security mindset, then? Start with two words: risk and trust. The very first step in your cybersecurity journey is to assess the risks involved in your business. The assessment is a thorough process to determine both external and internal security risks, and also the level of your risk appetite.
Basically, risk appetite means that if the risk grows bigger than the company's appetite, the company must act to avoid or mitigate the risk by either building better protection or changing the operations to work around it. For example, your company might have a risk appetite to allow the use of Dropbox, while other companies would reduce the risk with company policies or technical controls.
Another essential security element is trust. In modern cloud-based business, you cannot be in total control of every link in the chain. What keeps the wheels rolling is trusting that every party takes care of their part for security.
Trusting doesn't mean you should be gullible. There are several ways to establish a reasonable level of trust, such as reputation, transparency, verifications, and third-party assurances, to name but a few.
However, all the assessments and security procedures come to naught if security is not embedded in the DNA of the company. This means that everyone must be aware of what constitutes good security – and this, in turn, requires constant education and understanding.
Having the staff educated in cybersecurity is essential to any company that wants to run a successful and sustainable business. It's not easy to build a security mindset but it's totally worth it! To aid you in your security journey, we will soon publish a concise guidebook about cybersecurity essentials for businesses. Stay tuned!
One of the more recent developments that require new security thinking is the organizations' move to the hybrid cloud.
Peter has a long track record of helping businesses increase their security posture. With a curious mindset and a geek's mentality towards technology, Peter helps customers navigate through the enormous security landscape to achieve the best possible outcome. This curiosity led to a deep dive into GDPR and the many challenges our customers and their consumers face, to better understand and advise on how security can play a supportive role in order to obtain compliance. Peter has a background from companies such as F-Secure, Atea as well as Nordic startups.