At an NTT Security event in Germany, Kai Grunwitz and Matthias Straub talked with Enterprise Times about the NTT Security Risk:Value 2018 report. Kai Grunwitz is the Senior Vice President, EMEA, NTT Security. Matthias Straub is Director for Consulting in Germany and Austria, NTT Security. They have both been involved in cyber security for many years.
Grunwitz points out that the decision makers are not looking at cyber security. Their focus instead is on information security, the risks to the business and what it means to the business strategy. It is also important to change the language that is used. Rather than talk cyber security, it is important to talk risk. This is a topic that the board understands and can apply across the enterprise.
To put cyber security into risk terms, Grunwitz says: “We have to focus on meaningful risk KPIs when we talk about exposure.” When we talk cyber it is not specific enough in terms of the threats to the business. Grunwitz goes on to point out that only 60% of organisations have Cyber Security or Information Security as a board level topic. Organisations are focused on digital transformation but they need to make sure that security is part of these programmes and not a bolt on.
Straub makes the point that “security should be, and can be, a business enabler.” He cites cloud as an example of this, that is also a return of investment.
Business are overoptimistic about their cyber security
The Risk:Value report threw up other interesting results. One of these was the optimism among organisations that they will not get hacked. Straub puts an immediate damper on that when he says: “Our ethical hacking team is able to infiltrate any company within a few days, it’s not that hard.” He is right. The wealth of tools available to the hacker is greater than those available to the defender.
The problem with tools is nothing new. Grunwitz admits that there are serious problems with the way tools have been purchased and implemented. Organisations layer tools on tools without making sure they work. They also buy new tools based on attacks identified in the press. These are also not integrated into the organisation.
Being hacked is just part of the problem. Organisations think they have effective incident response programmes. This is rarely the case. The impact of social media, being prepared for the press and dealing with queries is just part of the problem. GDPR and other legislation now requires breach notification to occur quickly and not just to the regulator.
The lack of skilled staff is another major challenge. This has led to the outsourcing of a lot of roles. Even here, organisations need to think about their responsibilities. You cannot just push your data to a cloud provider and assume that they are responsible for handling a breach.
To hear more of what Grunwitz and Straub had to say listen to the podcast.
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there.