Information Security – A Capability Overlooked or a Feature Assumed?

information security capability overlooked or feature assumed

In this technologically advanced era where business models aim at delivering superior customer experience; essentially no functional domain remains untouched by various emerging technologies. Disrupting many business models, IT investment is more of a strategic or turnaround decision and it becomes imperative for firms to integrate IT with their existing models.

We are heading towards a future driven by technology, in smart cities, where processes would be intelligently and remotely controlled with minimum human intervention. Organisations need to ensure that they do not become obsolete with changing trends and strive for better results.

Although so much has been said about the enormous advantages of relevant information that can be harnessed through data available from IT systems, about various algorithms that can be used to analyse this information to drive profitability and about integration of all functional domains into IT systems, yet little emphasis has been laid on developing Information Security Systems as a core capability.

A KPMG study “Supply Chain Management for the Future” suggested Australian consumer goods organisations to transform their supply chain management in order to exceed customer expectations. The solution entailed a collaborative supply chain management system, integrated with financial information and modernised by driverless trucks, drones, IOT and cloud based technology.

Another study by Mckinsey “The Next-generation Operating Model for the Digital World”, briefs about a next generation operating model that firms may adopt to enhance their productivity/efficiency. This model combines digital technologies and operations capabilities in an integrated manner to achieve improvements in customer experience, revenue, and cost.

Both these studies describe at length the technological advancements and integrated models that span across all the domains of business(sales, finance, operations  etc) yet none of them lays emphasis on information security which encompasses both digital and cyber security.

Generally companies protect their systems using access management tools, firewalls and encryption softwares. But with so much integration expected in future, the pertinent question is whether the existing tools, mechanisms and standards would be sufficient to ensure information security? In any network, any weakling can be exploited to inject potentially malicious programs.

The proposed tool may have several layers of protection but there is a fair chance that the application of the tool may not be attacked directly at all. In interconnected systems there is possibility that the malign program is injected at some distant node- a vulnerable site, a remote client location and the program is intelligent enough to fine tune its behaviour like that at client’s end.

In an ecosystem where the systems are expected to take leaps, status quo cannot be expected in the way hackers target vulnerabilities. Hence the technologies would strengthen their malign intents as well.

Most of the tools present today work on access management which is conceptualised on authentication and authorisation of users (workforce) accessing information on the basis of a set of rules.

In an interview for MIT Sloan Management Review, cyber security expert Stuart E. Madnick stated that usually 50% to 60% of the cyber attacks occur by “Spear phishing” unintentionally aided by the workforce employed (clearly access management tools cannot be vital here). In future, access management would not be sufficient to protect the systems.

He further suggested that any data security system should essentially be capable of preventing any attack, detecting any malicious activity and recovering data and system after an attack. Majority of tools currently available do only prevention (that too not very effective) , detection and recovery are far out of sight.

In 2015, Ukraine’s electric grid was hijacked.  In 2017, Uber concealed a hack that affected 57 million customers and drivers. In 2017, Russians hackers infiltrated US power grid. Today when all the business models are transforming to digital are companies amply equipped to prevent, detect and recover from such menaces?

There is also a dire need to question the relevance of various metrics that are used today. Will they be sufficient to gauge a firm’s performance in a future where growth of technology would know no bounds? Will not “perceived information security” be one of the core values that any customer would expect? Would not customer satisfaction, brand equity, customer loyalty and customer equity be impacted by this proposition? Will not security be a hygiene factor to delivering customer satisfaction?

Clearly, either the relevance of information security has been undermined or it has been assumed that with passage of time companies would equip themselves to foster better information security.

In any case, information security should not be compromised with and companies should develop capabilities around it to gain competitive advantage.

Also Read: Top 5 Security Strategies For Home-Based Entrepreneurs From IoT Cyber Threats

(Disclaimer: This is a guest post submitted on Techstory by Swati Agarwal, pursuing the one year MBA at Great Lakes Institute of Management. All the contents and images in the article have been provided to Techstory by the authors of the article. Techstory is not responsible or liable for any content in this article.

Image Source: