The cyber threat is here to stay, writes Mark Brown. This seems to be the underlying message, not just in every conversation I have with business leaders and CISOs, but of Ernst & Young’s latest Global Information Security Survey as well. And of course it does seem to be the driving force behind the UK Government’s FTSE 350 initiative.
What I am seeing in the market is a shift in the way most businesses approach the cyber threat. It seems to me the debate is reaching a point of maturity. Businesses are starting to realise that cyberattacks pose a threat to everything they do, from mergers and acquisitions to IPOs, from product launches to major organisational change and entering into a new geographic market. It is, of course, quite encouraging that businesses have come to realise they must be prepared to counter, manage and mitigate cyberattacks that can occur anytime, anywhere.
What is also becoming more prominent in the business community is that there are now two types of companies when it comes to cyber security threats; those that have been hit by a cyber breach, and those one who haven’t yet realised that they have been subject to an attack. As a fellow cyber security professional told me recently “the penny has dropped”. I agree. We are no longer solely dealing with technical risks but, if left unmanaged, with threats to the very existence of businesses. The recent ICAEW Audit Insights paper on Cyber Security discusses the issue of becoming a cyber fatality.
Support from the board
So if business leaders are now looking for answers and guidance, and are willing to take the time to understand the threat and tackle it, that leaves information security professionals with a great opportunity to increase awareness of what they do and the protection to a business they offer.
Right? In theory…
In practice, only 17% of EY’s survey respondents indicated their information security function fully meets the needs of their organisation. In 2011 our findings suggested that 51% of businesses indicated increased satisfaction levels. In my view this comes down to the board not being convinced of the efforts of their information security teams. Without high-level support, any efforts from a CIO and their teams will be in vain.
Infosec teams need to step up their game, work closely with the business and gain the glory they deserve for the important work that they do. Instead of writing at length about it, I thought I’d give a give a list with my top 10 tips on how to get there.
Top ten tips
- Organisations need executive support to establish a clear charter for the infosec function and a long-term strategy for its growth;
- Infosec functions must develop strong, clearly defined relationships with a wide range of stakeholders across the business and establish a clearly defined strategy;
- Organisations need to be willing to invest in cybersecurity;
- The modern infosec function requires a broad range of capabilities with a diversity of experiences - technical IT skills alone are no longer enough;
- Processes need to be documented and communicated, but infosec functions also need to develop change management mechanisms to quickly update and improve processes;
- Infosec functions must supplement their technology deployment efforts with strategic initiatives that address proper governance, process, training and awareness;
- Organisations must establish a framework for continuously monitoring performance and improving their infosec programs in the areas of people, processes and technology;
- Organisations should ensure all their infosec technology is physically secure, especially with consideration for access to Wi-Fi;
- Analytics and reporting - signature and rule-based tools are no longer as effective in today’s environment. Instead, infosec functions may wish to consider using behaviour-based analytics against environmental baselines;
- Infosec requires an environment that includes a well-maintained enterprise asset management system to manage events associated with business priorities and assess the true risk or impact to the organisation.
Mark Brown is director of risk & information security at Ernst & Young
This was first published in December 2013