By David Neuman, Rackspace VP and Chief Information Security Officer
It’s time to change the cybersecurity conversation.
Each year for the last six years, there has been at least one major cybersecurity breach. Yahoo, Sony, Target, OPM and now Equifax have all suffered major consequences — not to mention thousands more businesses that never made the headlines. In many cases, the tactics used by hackers weren’t especially sophisticated. The malicious actors were simply determined to identify and exploit known vulnerabilities in complex ecosystems. This is the new normal.
To minimize the impact of breaches, businesses need to understand that cybersecurity is much more than a technology problem. It’s an operational business problem. In the past, most IT organizations have taken a reactive approach to security, centered on setting and forgetting the latest tools. But when we bolt security capabilities on the end of business planning and technology deployment, the risks and potential impact of a data breach are exponentially higher. It’s the equivalent of building a beautiful house in a bad neighborhood, leaving the doors and windows open and hanging a sign outside that you have valuables inside.
Ensuring security by minimizing risk is a team sport. Organizations must make sure their people are trained and experienced in secure development, sustainment and testing practices before products are deployed. Governance must be led from the top down. It must establish conditions for accountable business activities that align objectives, including the need to provide secure and trusted environments.
Nefarious actors will continue to attack and infiltrate even the most sophisticated organizations. Only by shifting the discussion away from tools and bolted-on, reactive security measures — focusing instead on integrating risk mitigation, resilient operating models and top-down governance into the business itself — can we enable cyber defenders to protect our businesses.
Every day at Rackspace, we help customers move applications out of their corporate data centers and into a managed services model while maintaining acceptable levels of risk. In this installment of Rack Connection, see how our security leaders and analysts leverage that experience to create a different kind of cybersecurity conversation — with specific guidance and best practices to help businesses shift to a more proactive security model built on people, process and technology.