As a non-profit professional association with 125,000 certified cyber, information, software and infrastructure security professionals, (ISC)2 and its members are working to raise awareness of what occurs on the front-lines of cybersecurity practice to ensure a safer and more secure cyber world. This article shares their perspective on fundamental areas that will help businesses take back control of cyber-risk and be better prepared for the unknown.
Cyber-risk is a business risk
Rapid adoption of technologies is transforming the business landscape at a relentless pace. The pressure is on to reap the benefits of connecting every system, however sophisticated or simple, from the high-profile innovations such as driverless cars, and remotely connected medical devices to the tasks that allow product fulfilment and inventory management across a vast and distributed network of retailers.
It’s a transformation that reaches far beyond the systems themselves to enhance what people can achieve and their levels of independence, delivering huge productivity gains and new opportunities for organisations.
Unfortunately, the transformation comes with new risks as hostile individuals and groups have also exploited the changing landscape for nefarious purposes. Such threat actors have the skill, the motivation and the time to research targets, craft and launch attacks, and are contributing to an evolving and proliferating threat landscape that has become both increasingly sophisticated and easy to access by those that would do harm.
Businesses and organisations have as a result found themselves dependent on new capabilities long before they have developed a clear understanding for how they are leaving them vulnerable.
For most organisations, whatever their size, cybersecurity has been a consideration. Preparations, however, are not standing up to the test of a real-world cyberattack or reflecting the impact being felt. This is because information and cyber-risk remains poorly understood outside of the information security profession, limiting the commitment and ability to robustly quantify the risks.
Accept cyber is a business risk
On average, organisations suffer over 100 targeted cyberattacks a year. One in three of these attacks – an average of two to three every month – are successful.
The lessons being learned from current breaches are that cyber-risks do not just affect IT systems, but are also a contributory factor, and even enhance the likelihood of business or physical risk.
One incident from the steel industry resulted in significant damage to a factory and blast furnace in Germany, when hackers successfully breached office systems that opened a window to production systems.
The challenge of securing organisations therefore goes beyond the resources of cybersecurity professionals and the small pockets of deeply technical experts that analyse the threats. A holistic understanding of both the nature of the cyber-risk that your organisation faces and the potential impact on your business is needed to guide the necessary treatments.
To make this fundamental realignment happen, business leaders should:
- Acknowledge that cyber-risk exists as a current and high-level threat to their business
- Debunk the perception that information and cyber-risk is a technology problem to be managed by the information security and IT functions
- Place cyber-risk on the organisation risk register
- Create or enhance the governance framework to include cyber-risk management
- Bring the CISO into all risk discussions
- Identify the key operational dependencies and prioritise resource for protection
Align cyber spend to your risk
(ISC)2’s Global Information Security Workforce Study has reported increasing security department and IT security budgets for over a decade.
Hiring of security personnel is also robust with 70% of hiring managers around the world participating in the survey planning to add to their teams in the next 12 months.
Despite this investment, our workforce study shows that since 2013 there has been a declining global state of security readiness with organisations taking longer to recover from a breach and often unable to identify the cause.
Even though they are armed with bigger budgets, cybersecurity professionals are forced into a ‘fire-brigade’ approach of simply addressing security incidents when they occur.
Instead, business leaders at varied levels must work with security professionals to proactively assess specific risks to their organisation, project or function, not just the systems, to develop a robust understanding of the most appropriate and level of resources required to mitigate or manage them.
Business leaders should challenge their managers and the CISO to:
- Use a consistent and robust methodology to identify, treat and manage cyber-risks
- Highlight critical systems and data
- Assess regularly the vulnerability of those critical systems and data against an evolving technological landscape and threat
- Implement cyber-risk treatments and measure their performance over time
- Show how risk treatments are effective at reducing risk, through metrics, KPI or KRI
- Demonstrate how investment is matched to risk
- Link cyber-risk to organisational frameworks such as Enterprise Risk Management
- Invest in technology and expertise to assess and manage the measures taken by partnerships and suppliers to maintain a level of cybersecurity proportionate to the identified risk
- Prepare, and regularly rehearse, organisation response to cyberevents in a way that reflects the value of the data or systems breached and the potential impact on their organisation.
Create a culture that prevents vulnerability
Organisations require a dialogue that ensures cybersecurity is broadly appreciated as being more than an IT or specialist concern and plugs into the business acumen that is driving its success. This dialogue should cover how the organisation, its products, services and business processes are evolving, and must be grounded in the terminology of, not just risk, but also ambition, development objectives, sector traits and so on.
Business leaders should regularly and actively challenge IT and information security leaders on how organisation developments and innovations could open them up to new risks.
IT and security leaders must challenge the business to communicate not just their requirements, but also their aspirations for how systems will be used by people, employees and customers, so everyone can gauge potential risks.
This is a two-way street: as much as information security leaders can push this dialogue, business leaders must make time to listen, comprehend and discuss the risks so that everyone can fully develop their understanding.
Building a culture does not happen overnight. However, business leaders can:
- Emphasise cyber-risk in all their discussions
- Encourage cross-departmental cybersecurity collaboration
- Build awareness and education about cyber-risks into all the training materials of the organisation
- Link objectives, bonuses and pay to the identification and management of cyber-risk
- Set expectations that all projects, business cases and initiatives address cyber-risk and have consulted with the CISO
- Question and require regular reporting and updating from direct reports, the CISO and other stakeholders on the cyber-risk status of the organisation
- Mandate the creation or use of a cyber-risk governance framework, management standards and methodologies
In conclusion… Leadership is key
The pace of change in today’s business landscape is increasing complexity and introducing new risks that challenge our understanding of what good business practice means in a connected world.
It is time to set our organisations on a journey to becoming a resilient thriving concern in this world. CEOs and boards can look to the cybersecurity profession as advisors, managers and fonts of front-line knowledge – but not as the frontline of accountability.
Business leaders themselves must grasp the challenge, set the dialogue and motivate the robust understanding and response required to stand the test of real-world cyberattack.
Cyber-risk is a business issue and responsibility, not just the domain of the experts.