Democratization of Cybersecurity

Avrohom Gottheil, the founder of #AskTheCEO Media recaps the fascinating conversation, he had about the evolution of cybersecurity and the question about whose responsibility it is to keep us safe, with Vishal Salvi Vishal Salvi, SVP & CISO at Infosys in this article.

Cybersecurity is a topic that everyone is familiar with, nowadays. Not a day goes by where we don’t hear about a global company’s data breach or another business that was shut down by ransomware. These attacks are growing by leaps and bounds and they’re not going to stop anytime soon. According to Cybercrime Magazine, cybercrime is projected to cost the world $10.5T by the year 2025. The important thing to keep in mind is that it’s not just big businesses that are vulnerable. Thousands of small businesses, startups, and individuals are vulnerable as well. As the saying goes, it’s not a matter of if, but when. Because of its growing threat, cybersecurity has been thrust front and center in everybody’s minds. It is a topic we can’t afford to ignore.

One of the challenges that we face when it comes to security is that technology evolves so fast that we’re left struggling with whose responsibility it is to keep things secure. Does it lie with the manufacturer, management, the IT department, or the end users? The manufacturer is focused on producing products that are convenient and easy to use. Security can sometimes be cumbersome, so its left to the customers to secure their environments. Management is relying on IT to secure the company, and so are the end users. The challenge with this approach is that everyone is abdicating their role in keeping the company safe, when in reality, security is everyone’s responsibility.

Vishal Salvi, Chief Information Security & Head of Cyber Security Practice with Infosys sums it up very well in his article titled Democratizing Cybersecurity: “Most employees think either that ensuring security is the job of the cybersecurity team or they are not aware of their specific role in helping ensure a secure organization. There is also a general perception around the fact that security is a very complex technical topic and best dealt by cybersecurity professionals. In reality, the cybersecurity teams are just the catalysts who drive the change towards building a security-first culture. The power to uphold the change lies with all employees and stakeholders who are performing different roles within the organization.” Essentially, cybersecurity is everybody’s business, as we are all on the front lines when it comes to security.

Over the last several years, the working world has experienced a revolutionary paradigm shift. During the crisis of Covid-19, people suddenly started working from home en masse. The rapid pace at which this change occurred put a huge strain on IT departments around the world. Instead of people working from the office using secured office equipment, which is connected to the company’s secure network, people were working from home, some were using their unsecured personal equipment, and virtually everyone was connecting via the wild-west public internet. Businesses were not prepared for this sudden change. As a result, cybercrime soared, and ransomware became rampant. Given that most hacks are perpetrated because of social engineering tactics, such as a simple phishing email, the responsibility of keeping the organization secure is on the entire staff and not just the IT Department. As the saying goes, the weakest link in cybersecurity is the people, and all it takes is one person clicking the wrong link, to compromise the entire company. Therefore, everyone needs to be vigilant about not clicking on suspicious links and entering their credentials on phony lookalike websites.

This democratization of cybersecurity starts with the CEO who needs to create a culture that is cyber vigilant. The security team needs to train all employees and conduct drills to test employees and to teach them how to spot malicious emails in real-life scenarios. Code words and protocols should be set up to verify and validate requests for large-sum money transfers, which should always be followed up via live communication before executing the transaction.

With the entire staff trained and standing guard over the company, IT departments can focus on beefing up the organization’s cybersecurity technology, in case something slips through the cracks.

There is a relatively new cybersecurity concept called zero trust, which essentially denies access to everyone by default, and grants access on an as-needed basis, and only to the areas that require access. Once access is no longer needed, it is immediately revoked.

In an article published by MIT Technology Review, Infosys Cobalt writes about the extent of the protection provided by zero trust: “In contrast to traditional end-user security models, a user’s initial sign-in to a zero-trust environment— even one confirmed by a fingerprint, a face scan, or multifactor authentication—isn’t the end of surveillance. Once in, zero trust discreetly follows as users go about the cyber-day, making sure they aren’t up to something nefarious, and haven’t mistakenly clicked on a link that opens a door to a hacker. Except for an occasional request to re-authenticate, users won’t notice zero trust unless it decides it can’t trust you and locks you out of somewhere you want to go.”

By implementing zero trust, even if a hacker were to compromise a set of credentials, they will have a much harder time gaining access to sensitive areas and bringing down the entire company.

One of the ways companies implement zero trust in their environments is by turning to trusted technology partners who can assist them in choosing the right cloud service provider for their business. Cloud is an important consideration when it comes to cybersecurity because many cloud service providers have invested heavily in the latest cybersecurity technologies and protocols and are able to leverage the economies of scale of thousands of clients to bring you state of the art hardened cybersecurity technology at a price point that is significantly much lower than if an enterprise were to make the investment themselves.

At the end of the day, no matter what level of cybersecurity technology you implement for your company, it all starts and ends with the people. Your staff needs to be your front line of defense to keep your company safe. As the popular cybersecurity author, Scott Schober, titled his book, “Cybersecurity is Everybody’s Business.”