As the digital transition continues to make headway in almost every industrial sector, the effectiveness of IS security in projects has become a key issue. Faced with a rising number of security incidents and cyber-attacks (the number of cases quadrupled between 2019 and 2020 in France), it is in companies’ best interests to adopt a preventive approach to security, if they do not wish to keep paying the price for passive risk management.
Security by design or the art of anticipating so as not to be caught short
While initially intended to automate certain low-value-added tasks, information systems have now developed to the point where they can perform increasingly complex and crucial tasks. Today, they have a far wider and more comprehensive scope of action, making them more vulnerable to security incidents, and especially to cyber-attacks. To counter such threats, most companies have, until now, adopted a reactive approach in their response to security incidents and a passive approach to risk management. Although this kind of approach was still sufficient a few years ago, it is no longer in line with reality, since the consequences can be so disastrous for businesses, especially if they are paralysed following an attack or incident.
This is why an increasing number of companies are looking to implement a preventive security strategy, commonly known as “security by design”, which aims to incorporate security in the actual design of tools or the scoping of projects. This type of approach involves both the implementation of monitoring and surveillance tools using artificial intelligence and the definition of an effective cyber-security strategy for all projects. By adopting this kind of preventive policy, companies can anticipate and counter many kinds of attacks. Moreover, they can be more agile and responsive when incidents actually occur, by shifting from a passive to an active defence strategy.
A long-term investment
Inevitably, putting in place an efficient preventive security strategy comes with a certain cost for businesses. From the design and integration to the support services, this approach results in a new organisational structure, in which internal resources need to move from a primarily reactive stance to a proactive position. This involves a significant investment for companies, but they should bear in mind that, in the long term, adopting a preventive approach will mean allocating fewer resources to responding to security incidents and dealing with the consequences, and thus result in real savings.
This being said, deploying a comprehensive preventive security strategy is something that remains the domain of (very) large companies, since they already have IS departments that are suitably structured to carry out this mission. Consequently, most companies will look to outsource the integration of security into their projects, particularly with regard to the most expensive tasks, such as detection tool updates, monitoring or surveillance.
Project security: the human aspect of the challenge
Despite the active surveillance implemented in a preventive approach, the fact remains that not all attacks are predictable, so there is still an element of uncertainty in risk management. In this context, human judgement still plays an integral role. Indeed, by looking beyond the parameters of AI tools (as effective as they may be), human judgement can provide a finer analysis, and is capable of deciphering what cannot be deciphered by detection tools.
It is therefore safe to say that you cannot guarantee zero risk. With this in mind, no security strategy, however robust, should neglect developing a corporate culture that actively addresses the issues of risk management and cyber-security. This is of paramount importance, especially since the number (and diversity) of vulnerabilities is growing at the same rate, if not more rapidly, as the digitisation of companies. Consequently, it is important to introduce a risk management policy that consolidates the technical measures taken before the projects start. This approach does not claim to be infallible, but it does have the merit of involving the whole company in appreciating and addressing the subject of IS security.