One of the noticeable trends of this year has been how boards are becoming more closely involved in cybersecurity. It’s being driven by a combination of factors: new rules such as EU GDPR are forcing many organisations to pay closer attention to protecting their information, and the issue is kept top of mind by high-profile data breaches like Yahoo and LinkedIn, or incidents like the largest ever distributed denial of service attacks against Krebsonsecurity and OVH, which took place within a week of each other this Autumn.
Closer to home, the Central Bank of Ireland’s guidance on cybersecurity and risk, which was published in September, was a stark message for companies to assume they’re going to be targeted, and I expect its effect will also start to be felt in the market in the months ahead.
What’s also clear from the conversations we’ve been having with customers is the varying levels of readiness that many organisations have. If a fire broke out at an office premises, people would know to call 999 and follow the escape routes, but there’s no equivalent, easy-to-remember procedure for cybersecurity.
One of the main growth areas in Integrity360’s business has come from situations where companies have been hit by a data breach or cyberattack and contact us to investigate and plug the leaks. Our technical department has doubled in size in the past two years, and in 2016 alone, our headcount has grown by 55%, which indicates the appetite in the market for cybersecurity services. A quarter of our business now comes from outside Ireland.
We recently announced 150 new hires by the end of 2018, across roles ranging from security analysts, field consultants and network security consultants to cyber risk and assurance consultants, indicating the breadth of options for companies looking to protect their critical information. This new recruitment campaign will bring total employment at Integrity360 to around 300 people. We have already filled 25 of these new roles, bringing total staff at Integrity360 to 140 so far.
Although there has been a noticeable upturn in cybersecurity spending, especially since the end of the downturn, budgets are still finite and many large companies are looking at the ways to get the most from their security investment. Some are looking to work more closely with external third parties like Integrity360, and use managed services as a way to take some of the heavy lifting from their internal teams. We provide a range of managed services including a security operations centre as a service and this area of the business has seen huge growth on the back of this trend.
Another version of this service is managed security incident and event management (SIEM). This is a smart way for companies to get more from their existing investment in IPS systems and web application firewalls, but it adds a layer of reporting and intelligence that many companies can’t achieve because of resource constraints. Going through all of those logs can be time-consuming work, but it can provide vital data about events on a company’s network and can flag suspicious behaviour that could indicate an attack.
Another advantage of using a managed security service is the increased protection that it gives the wider community. When our operations centre sees a potential red flag at one site, we can update the defences not only for that customer but for all others using the service.
Increasing numbers of companies are asking us to advise them on developing a cybersecurity strategy and defining good security processes, while evaluating their risks in the process. We were able to help a customer in the UK to reduce their cyber insurance premium by 60% by showing how they are able to provide security alerts faster.
Another driver in our business has been the need to achieve compliance, but I notice a shift in reasons behind it. Many companies no longer want to treat it as a ‘tick the box’ exercise but they’re achieving certifications like ISO 27001 because they see how it improves their business. If I was a CEO and wanted to sell my company, I would obtain ISO 27001, because it adds value to the business, not only for the customer base but because it pushes the organisation to do things in a process-driven way. Its continuous improvement approach can guide business owners to define their strategy and where to invest to grow your business.
Now’s the chance for IT to step out in front and position security as a business enabler. Here are two examples: more companies want to enable a mobile workforce, and the best way to do this is to build the infrastructure on a foundation of strong security systems and processes. When we conducted a risk assessment recently for a business that had 60% of its sales via the web, we identified and removed malicious traffic that had been coming to the site. Genuine customers’ experience of using the site improved almost immediately, and the company was spared having to invest in additional servers to cope with what they had assumed was real traffic.
I can see the day coming soon when we will be asked to audit a company’s security posture as part of a legal due diligence process, or as part of the warranties when agreeing the sale price. I think it’s telling that one of the outcomes from the Yahoo data breach has seen Verizon re-evaluate the $4.8 billion purchase price and possibly consider whether or not to proceed with the deal.
There’s no better argument for a technology leader to take to their board of directors than the need to see past the fear of breach, or the knee-jerk need to take action for protection, audit or compliance. At its best, security is strategic and it’s a business enabler. And we only have to see the fallout from incidents at Yahoo and at TalkTalk, which lost more than 101,000 subscribers after its own data breach last year, to see that bad security has a lasting business impact too.
This article is courtesy of TechCentral.ie