CIO OPINION
“
BUSINESS
LEADERS
THEMSELVES
MUST GRASP
THE CHALLENGE.
are not standing up to the test of a real-
world cyberattack or reflecting the impact
being felt. This is because information and
cyber-risk remains poorly understood outside
of the information security profession,
limiting the commitment and ability to
robustly quantify the risks.
Accept cyber is a business risk
On average, organisations suffer over 100
targeted cyberattacks a year. One in three of
these attacks – an average of two to three
every month – are successful.
The lessons being learned from current
breaches are that cyber-risks do not just
affect IT systems, but are also a contributory
factor, and even enhance the likelihood of
business or physical risk.
One incident from the steel industry resulted
in significant damage to a factory and
blast furnace in Germany, when hackers
successfully breached office systems that
opened a window to production systems.
The challenge of securing organisations
therefore goes beyond the resources of
cybersecurity professionals and the small
pockets of deeply technical experts that
analyse the threats. A holistic understanding
of both the nature of the cyber-risk that
your organisation faces and the potential
impact on your business is needed to guide
the necessary treatments. To make this
fundamental realignment happen, business
leaders should:
• Acknowledge that cyber-risk exists
as a current and high-level threat to
their business
• Debunk the perception that information
and cyber-risk is a technology problem to
50
INTELLIGENTCIO
•
•
•
•
be managed by the information security
and IT functions
Place cyber-risk on the organisation
risk register
Create or enhance the governance
framework to include cyber-risk
management
Bring the CISO into all risk discussions
Identify the key operational
dependencies and prioritise resource
for protection
Align cyber spend to your risk
(ISC)2’s Global Information Security
Workforce Study has reported increasing
security department and IT security budgets
for over a decade.
Hiring of security personnel is also robust
with 70% of hiring managers around the
world participating in the survey planning to
add to their teams in the next 12 months.
Despite this investment, our workforce study
shows that since 2013 there has been a
declining global state of security readiness
with organisations taking longer to recover
from a breach and often unable to identify
the cause.
Even though they are armed with bigger
budgets, cybersecurity professionals are
forced into a ‘fire-brigade’ approach of
simply addressing security incidents when
they occur. Instead, business leaders
at varied levels must work with security
professionals to proactively assess specific
risks to their organisation, project or function,
not just the systems, to develop a robust
understanding of the most appropriate
and level of resources required to mitigate
or manage them. Business leaders should
challenge their managers and the CISO to:
• Use a consistent and robust methodology
to identify, treat and manage cyber-risks
• Highlight critical systems and data
• Assess regularly the vulnerability of those
critical systems and data against an
evolving technological landscape
and threat
• Implement cyber-risk treatments and
measure their performance over time
• Show how risk treatments are effective at
reducing risk, through metrics, KPI or KRI
• Demonstrate how investment is matched
to risk
• Link cyber-risk to organisational
frameworks such as Enterprise
Risk Management
• Invest in technology and expertise to
assess and manage the measures taken
by partnerships and suppliers to maintain
a level of cybersecurity proportionate to
the identified risk
• Prepare, and regularly rehearse,
organisation response to cyberevents in
a way that reflects the value of the data
or systems breached and the potential
impact on their organisation.
Create a culture that
prevents vulnerability
Organisations require a dialogue that
ensures cybersecurity is broadly appreciated
as being more than an IT or specialist
concern and plugs into the business acumen
that is driving its success. This dialogue
should cover how the organisation, its
products, services and business processes
are evolving, and must be grounded in
the terminology of, not just risk, but also
ambition, development objectives, sector
traits and so on.
www.intelligentcio.com