Cybersecurity is not just about technology. Nor is it only about processes and experts. It’s also about how secure one feels with one’s security setup.
An often repeated mantra is that cybersecurity is not about technology alone. Cybersecurity covers the entire chain of people, tech, processes, culture, mindsets and anything else that can impact security.
There is an aspect that we security people perhaps do not take into account often enough: perceived security. In practice, this means the feeling a person has about whether their system is secure or not. This does not necessarily have anything to do with a cybersecurity setup or the capabilities of an organization. It has to do with perception.
When considering one’s security stack and setup, it may be the best in the world – but if it does not create a feeling of security, it does not meet all requirements.
Data security would be one area to be used as an example. What data about an individual is collected by the system? Where is one’s data stored and how is it protected? How is the information used? Can it be stolen? How is its validity secured? Here we enter the realms of encryption at rest or in transit, database security, and network security. There are a bunch more considerations in perceived security, but all of these, in my view, can be combined under one cybersecurity umbrella: proximity.
How does proximity, then, create a feeling of security? We tend to feel secure when we have everything relevant to security close at hand. We want to have our systems, tools and data close to us. Seeing them there at the ready, seeing them work – this is when we feel most secure.
This trend towards proximity is evident to cybersecurity experts when discussing security outsourcing and cloud-based solutions. We have noted with interest that purchasing decision makers expect proximity from the solutions they want to buy. At the extreme, this tends to translate into on-prem solutions: proprietary data centres, software, and support teams working in their native language. In other words, a minimal service (outsourced) component – and no cloud.
While the above makes sense from a perceived security point of view, its practicality in the modern digitalization scheme makes less sense from a technology, process, expert availability or budgeting point of view.
Even if one had the potential (read, money) to build and maintain all that is needed to have top notch constantly evolving cybersecurity, could one find the experts to do the work? Or develop all the tech one needs? Or keep growing that data centre?
It all comes down to defining your risks and risk-acceptance level, then allocating your budget across these to balance your risk elements and acceptance.
It’s quite clear that in cybersecurity nowadays, one can rarely go it alone. One knows rationally that in the modern world, it is not fully possible to do everything in house – even if that would bring a feeling of 100% security. Some elements need to be kept in house, some can be acquired and used as services, including from the cloud. It’s the risk mapping and tolerance that determine the split.
At the end of the day, this is a question of retaining overall control. The full security profile is one’s own responsibility. This is how perceived security is attained, i.e. having the feeling of control. It is possible to attain control with different combinations of on prem and outsourced cybersecurity solutions, which together compose the whole cybersecurity stack.
Do you feel in control of your cybersecurity? We are happy to help with risk assessments and more to determine the appropriate security setup for your organisation and the industry in which you operate.
Please visit our Advisory and consultancy pages to find out more.