Imperva: Making the case for cybersecurity investment
2018 turned out to be a significant year for cybersecurity with breaches and attacks making the news far too often.
While this discrepancy is worrying, it shines the spotlight on why business leaders are yet to fully embrace the value of cybersecurity.
Although we’re in the era of digital transformation, many organizations are looking for guaranteed returns from their technology investments. Therein lies the problem – with increasingly tight budgets, senior leaders view of cybersecurity systems is currently framed as insurance. So, how do we shift this mindset so that senior leaders can better understand that the value of protecting business critical data extends far beyond just covering your assets?
Cybersecurity and the board
In recent months, we’ve seen the introduction of new regulations such as the EU’s GDPR, as well as constantly shifting privacy laws in nearly every geography. While there are considerable levels of effort required to prepare for these new compliance landscapes, they are putting security strategy decisions at the top of the priority pile of boards and exec teams.
Board members, in particular, are responsible for establishing good governance practices and policies for driving better financial performance and growth. For this reason, it is vital that they have a comprehensive view of their organization’s cybersecurity strategy, and the required level of investment for buying down their risk.
Where cybersecurity may have previously been considered one subset of operational IT, a cursory glance over the press clippings in recent years will have alerted them to the real challenge. A growing number of business leaders are awakening to the fact that a data breach is all but inevitable. What they need to know is, how they can limit the scope of damage from a data breach with the right level of investment.
Step 1: Making the case to senior leadership
As the levels of liability for failing to govern risk and protect critical data are transferred from the IT department to senior leadership, these leaders need a quantified measurement of risks including:
· Compromized customer data
· Diminished brand and reputation
· Loss of investor and consumer confidence and loyalty
· Stolen sensitive intellectual property
· Compliance and regulatory sanctions
· Business disruptions
Step 2: Assessing the current situation
Once these risks are quantified, due diligence will require leaders to assess the steps their partners and competitors are taking to avoid exposure. Relationships with technology suppliers and lenders then become less transactional, and more of a long-term advisory partnership, as they’re best placed to provide advice on the current trends within your marketplace.
Step 3: Do a complete audit
The next step requires you to conduct a thorough inspection of your current security posture.
This involves understanding where your critical data currently resides, who requires access to it and more critically, who actually has access to it.
While it’s a drum we beat perpetually at Imperva, many leaders don’t understand the risks of a potential data breach by careless, compromized, and malicious insiders. Not all data assets carry the same level of risk, and not every employee should be given carte blanche access to all organizational data.
While this may be time-consuming, leaving no stone unturned at this stage of the audit will give you a clear understanding of where your security measures stand currently and benefit you greatly in the long run.
Final step: Determine the right investment for your business
By appraising your data assets in terms of their value and risk, you can then begin targeting your investments towards timely threat detection and incident response.
No matter the time and effort invested, it is important to remember that data breaches are inevitable.
Framing this approach as a risk/reward equation and using a tiered security approach ensures that your organization can protect high-value targets that would cause significant harm if they were compromized.
At the very least, senior leaders need to be made aware of the growing threat they face every day from external cyberattacks and internal data breaches. A single breach has the potential to irreparably damage the financial condition of even the most successful business, and ruin the careers of those leaders involved. Rather than packaging your cybersecurity spending rationale within IT investments, these really need to be highlighted as a high-level risk mitigation strategy.
How changing your company's software code can prevent bias
Two-third of tech professionals believe organizations aren’t doing enough to address racial inequality. After all, many companies will just hire a DEI consultant, have a few training sessions and call it a day.
Wanting to take a unique yet impactful approach to DEI, Deltek, the leading global provider of software and solutions for project-based businesses, took a look at and removed all exclusive terminology in their software code. By removing terms such as ‘master’ and ‘blacklist’ from company coding, Deltek is working to ensure that diversity and inclusion are woven into every aspect of their organization.
Business Chief North America talks to Lisa Roberts, Senior Director of HR and Leader of Diversity & Inclusion at Deltek to find out more.
Why should businesses today care about removing company bias within their software code?
We know that words can have a profound impact on people and leave a lasting impression. Many of the words that have been used in a technology environment were created many years ago, and today those words can be harmful to our customers and employees. Businesses should use words that will leave a positive impact and help create a more inclusive culture in their organization
What impact can exclusive terms have on employees?
Exclusive terms can have a significant impact on employees. It starts with the words we use in our job postings to describe the responsibilities in the position and of course, we also see this in our software code and other areas of the business. Exclusive terminology can be hurtful, and even make employees feel unwelcome. That can impact a person’s desire to join the team, stay at a company, or ultimately decide to leave. All of these critical actions impact the bottom line to the organization.
Please explain how Deltek has removed bias terminology from its software code
Deltek’s engineering team has removed biased terminology from our products, as well as from our documentation. The terms we focused on first that were easy to identify include blacklist, whitelist, and master/slave relationships in data architecture. We have also made some progress in removing gendered language, such as changing he and she to they in some documentation, as well as heteronormative language. We see this most commonly in pick lists that ask to identify someone as your husband or wife. The work is not done, but we are proud of how far we’ve come with this exercise!
What steps is Deltek taking to ensure biased terminology doesn’t end up in its code in the future?
What we are doing at Deltek, and what other organizations can do, is to put accountability on employees to recognize when this is happening – if you see something, say something! We also listen to feedback our customers give us and have heard their feedback on this topic. Those are both very reactive things of course, but we are also proactive. We have created guidance that identifies words that are more inclusive and also just good practice for communicating in a way that includes and respects others.
What advice would you give to other HR leaders who are looking to enhance DEI efforts within company technology?
My simple advice is to start with what makes sense to your organization and culture. Doing nothing is worse than doing something. And one of the best places to start is by acknowledging this is not just an HR initiative. Every employee owns the success of D&I efforts, and employees want to help the organization be better. For example, removing bias terminology was an action initiated by our Engineering and Product Strategy teams at Deltek, not HR. You can solicit the voices of employees by asking for feedback in engagement surveys, focus groups, and town halls. We hear great recommendations from employees and take those opportunities to improve.