The (Cyber) Elephant in the Room

Most companies today manage cyber risks primarily by investing in technology. The company implements a new firewall, a new endpoint protection, or whatever software or hardware vendors are hocking as the latest and greatest “mousetrap.” This shouldn’t be surprising, considering that corporate leaders are often too eager to delegate cyber risk management responsibility to their IT leadership, and IT reflexively falls back on what is familiar: technology.

The problem with this approach is that it’s a two-dimensional solution to a three-dimensional problem. History is littered with examples of companies that suffered data breaches even though they had best-in-class technology. J.P. Morgan, for instance, reportedly spent over $250 million-a-year on cybersecurity in 2014 when it suffered a massive data breach. This nonlinear relationship between investment in technology and cyber event prevention is not surprising to information security professionals, who understand that technology is not a panacea. No technology is 100% perfect and we should not expect that it ever will be. Indeed, a root cause analysis of most data breaches points to organizational culture, governance and operational failures, not technical failures.

This is not to say that technology is irrelevant. Clearly it is relevant. Indeed, IT risks deserve special attention. But all too often, companies focus exclusively on technology solutions and ignore other key risk factors. At Tensyl, we believe it is critical that corporate leaders understand that IT is just one of several risks that require management. Nontechnical factors―such as organizational culture, security governance, business practices, and user behavior―also are sources of information security vulnerabilities and need attention. Continue to ignore these risk factors at your own peril.

Interested in learning how Tensyl can help? Learn more about us here.