Extending information risk management to embrace cyber resilience
Cyber Security Global cyber-attacks continue to become more innovative and sophisticated than ever before. Data breaches at major retail brands have revealed that cyber risk is an ever-growing concern for organisations around the world.
In today’s cyber age, a company’s reputation – and the trust dynamic that exists amongst suppliers, customers and partners – has become a target for cybercriminals and hacktivists.
Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact not just technology but business reputation and shareholder value.
Managing Information Risk
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organisations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organisations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity.
Cyber resilience also requires that organisations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organisation, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organisation, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.
All Hands on Deck
Cyber threats are no longer the domain of information security; all units within the organisation are affected, as are external customers, suppliers, investors, the media and other stakeholders. Senior business leaders, preferably the chief executive or chief operating officer, should lead the pack with coordinated, collaborative approach which allows the organisation to prepare for unpredictable events.
Organisations must be agile in order to prevent, detect and respond quickly and effectively, not just to incidents, but to the consequences of the incidents. An incident response team comprised of areas from across the organisation should be created to develop and test plans pre and post incident. This team should be equipped and trained to respond quickly to an incident by communicating with all parts of the organisation, individuals who might have been compromised, shareholders, regulators and wherever impact can be felt.
Instituting a Successful Cyber Resilience Program
Organisations function in a progressively cyber-enabled world today and traditional risk management isn’t nimble enough to deal with the risks from activity in cyberspace. Enterprise risk management needs to be extended to create risk resilience, built on a foundation of preparedness. From cyber to insider, organisations have varying degrees of control over evolving security threats.
A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current threats and enable timely response and recovery. Using a resilience based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than merely compliance activities alone.
Cyber resilience is about ensuring the sustainability and success of an organisation, even when it has been subjected to the almost inescapable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner