Executive Summary
It’s no secret: Information security is a complex and ever-changing world fraught with risk. But adding the most recent tools to your organisation’s cybersecurity portfolio to try to mitigate new threats may be the wrong approach to security improvement. Today, it’s more important to focus on taking care of the fundamentals, which are too often eclipsed by the latest market developments.
In this MIT SMR Connections Executive Conversation, Mark Hughes, president, Security at DXC Technology, and Boulton Fernando, vice president and chief information security officer at Toyota Financial Services, discuss minimising complexity in the cybersecurity landscape. They weigh in on related topics including the benefits of taking more inclusive approaches to building security teams and leveraging collaboration as an essential component for security success.
The truth is that security basics haven’t been deployed as well as they should have been, which has become more obvious in our dispersed, mobile, multi-cloud environments. Getting back to basics means, for one thing, making the best use of the security tools you already have in place.
“At DXC, we often see customers who haven’t yet fully implemented a particular tool, which falls out of favor before it’s fully deployed,” says Hughes. “That means much of its value is never attained before a new tool appears. It’s important to be very careful about swapping things out without considering what’s already there and the utility you could realise if you just finished deploying it.”
“In the past, you might have been able to get away with not having all the basics in place — maybe the firewall settings weren’t right, or you didn’t have the right identity and access control or patching regimes in those environments. That’s no longer the case. Our dispersed, mobile, multi-cloud environments make it essential to have all those basics well covered.”
— Mark Hughes, DXC president, Security
Putting the focus on the basics also means establishing clear ownership and governance over data, within collaborative relationships. “It’s important to collaborate and have cybersecurity people embedded within the parts of the organisation that are responsible for the actual running and processing of the data and the customer information in our systems,” Fernando says. “We want them to understand they’re not on their own, and it’s not just all put on them, but as an owner of a system that is processing information, you do have responsibilities that you have to discharge properly. Collaboration is critical, but you still need to be diligent about understanding who is responsible for what, and making that very clear.” Bottom line: Security should never be about “us vs. them.”
Today many organisations are experiencing a significant shortage of security personnel. They’re adapting by leveraging new hiring pools and attracting people to the profession earlier in their careers.
That said, “organisations can employ armies of security people. But by definition, the basics don’t need a security specialist to manage,” says Hughes. "It’s really about people using healthy practices.”
To that end, security leaders understand that everyone in the organisation represents the front line of defence – and that it’s their job to do the tireless work of promoting security awareness.