If organisations are to enhance their cyber security capabilities in a meaningful way, they have to be proactive. The ever-changing nature of the information security landscape demands it.
Many organisations employ a number of disconnected point solutions when trying to address cyber security. A large proportion of these solutions are the implementation of technical tools claiming to be the next panacea of the cyber world. These disconnected point solutions will not stop a determined adversary from accessing the confidential information within an organisation.
This calls for transformation: a wholesale program of change within an organisation as it moves from a reactive to proactive operating model, and ensures a holistic approach to security, compliance and monitoring across the organisation. Transformation goes beyond technological solutions, addressing core people processes, culture and the behavioural elements of a complete solution.
By taking a longer term view and building for the future of the whole organisation – not just focusing on technology fixes and short-term reactive issues – the chances of success in the digital world are significantly increased.
"Information risk management is more than just security. It entails privacy, information governance, business and information technology resilience and continuity to work together for a common purpose."
Partner, Technology Risk
A transformational program requires strong foundations. This is about creating the leadership, sponsorship and governance environment to truly succeed. It includes getting stakeholder buy-in and building stakeholder support. It is also about the board owning the program.
Cyber security cannot be left to the technology department. It is the board that has to decide on the level of risk it is willing to accept. It is the organisation’s leadership that must implement the overarching strategy, ensuring that it is embedded throughout the organisation.
By guaranteeing the program's legitimacy through clear ownership and accountability, an organisation will be prepared to meet the challenges of the digital world cohesively. Without these foundations in place, an organisation’s approach to cyber security is likely to restrict rather than enable its broader business goals.
A proactive operating model hinges upon the able sourcing of threat intelligence. This directly draws on the practices of law enforcement and intelligence agencies, which can provide considerable insight into gathering and using threat intelligence to preempt criminal behavior.
At the heart of threat intelligence is the sharing of information. However, this requires organisations to overcome significant trust barriers and collaborate with competitors and law enforcement agencies to effectively target the threats. Many organisations are not prepared to go down this path as yet.
To some extent that reflects the fact they are still lower down the cyber maturity curve. An indication of your level of cyber security preparedness and information assurance, the cyber maturity curve is a multi-dimensional benchmark incorporating leadership and governance, operations, technology and compliance.
By understanding where your organisation is on the maturity curve, you can fully realise where you need to go. Ultimately it is a journey over time that transforms your business processes, your internal culture and your risk awareness.
Information risk management is more than just security. It entails privacy, information governance, business and information technology resilience and continuity to work together for a common purpose. There are tough challenges as increasing amounts of data are collected and transferred around the world across many diverse legal and regulatory regimes. It requires an integrated approach to business resilience which includes cyber security.
Sometimes information security gets put in a little box. While it is a particularly prominent issue at the moment, in fact it is just one of many operational risks that an organisation has to deal with. By delivering holistic programs that address real business risks, an organisation can also attain real business benefits.