The way we do business is being constantly modified by technology. Its impact certainly has a positive side, for example making production and management processes more efficient, making more innovative ways of working possible, cut down the cost to access new technologies. A negative side exists too: a pervasive digitalisation widens the surface of attacks that every company has to take into account in their risks to the business. In particular, cyber threats are rapidly increasing because, despite more tangible threats, they are relatively easy to mount and quite complex to counteract. Cybersecurity is ever promoted to high management meetings, up to the point where they enter the agendas of many CEOs.
The urgency of dealing with cybersecurity is clear to everybody, as nowadays cyber attacks make even the news, but what make cybersecurity a difficult topic is its complexity. Working in cybersecurity means diving into several technical, managerial, organizational, strategic but most of all human topics. It is not enough to have an antivirus if a user is granted the option to shut it off upon downloading the attachment to that email from an unknown sender, but which promises easy money.
To clarify the landscape of cybersecurity, it is commonly divided into nine domains, each being crucial to secure a company and that therefore needs to be discussed and applied to the specific context of the business.
Due to its already discussed complexity, cybersecurity needs to own its own governance that monitors and orchestrates all components and people that secure the company. This domain also includes training and awareness of users, which are crucial themes for corporate security.
Identity and access management.
As soon as the company owns a device, two questions arise. Who is authorised to use it and how are they granted access? This domain includes, then, the management of credentials (username and password) which must be created, monitored and revoked, and each user’s permissions.
This the most common domain, because it deals with all technical measures usually associated to cybersecurity (antivirus, firewall, SPAM filter).
Cyber threats do not come from hackers only, but also from several environmental factors surrounding the company. How to guarantee business services if the server room is flooded? And in case of a global pandemic?
In the last decade there have been several laws, European regulations, standards, best practices which guide (but sometimes can confuse given how many there are) who works in security. This domain considers all security systems of a company with regards to applicable regulations.
This is possibly the most technical domain and consequently where it is hardest to find qualified experts. Cryptography is the science studying methods to guarantee confidentiality, integrity and availability of information. Consequently, cryptography is the core, and is omnipresent, in all security systems.
Access to IT systems included in the second domain are not the only possible ones. Authorising people to physically access the company’s perimeter, a server room or any other sensitive area is also a theme dealt within security.
Software Development Security.
Security is not only composed of dedicate tools or methodologies but should also be integrated in any piece of software, even if its main functionality lies somewhere else. In these terms, an expertise in security is essential to develop any kind of software which executes critical function or has access to sensitive information.
This domain includes all business units, procedure and technologies to analyse threats and identify if and when a company is under attack. Such an identification is then followed by the application of mitigation controls to reduce risks and by the execution of a remediation plan to bring the situation back to before the attack.