In this post, Gonzalo Cuatrecasas, the professor of Global MBA in Digital Business and cybersecurity expert, introduced us to the notion of divide-and-conquer algorithms and how to apply a similar concept to find solutions to complex cybersecurity problems.
In computer science, divide and conquer is an algorithm design paradigm. A divide-and-conquer algorithm recursively breaks down a problem into two or more sub-problems
of the same or related type, until these become simple enough to be solved directly. The solutions to the sub-problems are then combined to give a solution to the original problem.From my years of experience as an information security specialist and, my unfortunate involvement in various business data breach situations, I have come to learn that Baseline Assessment projects and Cybersecurity Threat Remediation projects often get real attention only after the damage has been done
It’s for this reason that I propose a new approach to the implementation of cybersecurity projects
. In essence, it’s a preemptive approach designed to use all the existing competencies in the company, rather than focus our defense plan on the same people that will be involved in restoring the business after a misfortunate data breach. My idea is simple, segregate the responsibilities of data security into two big areas “people” and “technology”
.On the one hand, “people” are the weakest link in the security chain
and often responsible for compromising established system security measures. After all, the systems must be configured to allow people to access the data within, otherwise, if the systems were too tightly closed, they would become irrelevant and the information needed for the business will have to find other less secured ways to flow (CIA Triad
– Availability Concept).On the other hand, we apply technological security features to devices, networks, and systems to ensure that only the authorized people are allowed to access information in our systems (CIA Triad – Confidentiality Concept). We also invest a lot of energy to ensure that the data cannot be changed or destroyed accidentally and that it´s properly managed according to its purpose. (CIA Triad – Integrity Concept).Case in point, the DPO's role required under the new GDPR, is not often found within
the IT department. The norm requires that this role be independent and representative of the data protection authority.
Cybersecurity risk management is a complex problem to tackle, especially due to the fluid nature of the evolving threats and ever-changing players. Having a single team on this task is a lot to ask in terms of responsibility and skillset. Complex problem solving require subject matter expertise and intelligence beyond that of any single individual.
IT security teams are good at what they do, they are trained for it and know the company laterally to be most effective. However the same is true with Human Resource and Occupational Risk Prevention departments.
In my present opinion, I suggest that we look outside the boundaries of technology teams to implement our Cybersecurity strategies. This approach will spread the responsibility by getting more departments involved, and therefore create a virtuous collaborative cycle. One particular area of difficulty in the deployment of cybersecurity plans is end-user awareness. This particular area could be well suited to be managed by the Human Resources department. Corporate culture, conduct policies, and skills to modulate people's behaviors are innate in the activities of HR departments and can go a long way towards preventing data exposure and unnecessary security risks. Furthermore, some activities could be further be divided between HR, Corporate Communication, Corporate Risk Management, Marketing, Risk Prevention, and of course IT.
Each can take, develop and deploy the parts that will fit most naturally with their skillset and place in the company.
Join our MBA program and discover the core elements to effective collective thinking!
Professor of the Global MBA in Digital Business
CIO at OCA Global