When it comes to cyber security resilience, size does matter. What size, I hear you ask? This includes the size of the organisation, the budget and the security team. And the size of the information assets of interest to cyber criminals the organisation holds.
I claim the most important preparation for any organisation is conducting a cyber security threat assessment. But small companies are lagging behind, even in understanding how a cyber security breach could force them out of business. The large organisations, on the other hand, have big security teams and spend more on technologies and people. But where should the balance be? I argue that the actions should be to:
1. Establish cyber security framework that is proactive rather than reactive.
2. Engage in cyber security initiatives to share relevant information on current threats.
3. Put in place security measures in agile style to tackle current threats.
Let's tackle each point in more detail.
1. Security standards lag behind the cyber criminals actions. Our industry is rather reactive. We update standards after a breach to add new controls that could have prevented it. But it is too late. It already happened. If we are going to succeed we need to switch our minds from protectors to perpetrators. That is what Google has now started doing with its elite team of hackers.
2. Too often I have seen situation where security teams try to reinvent the wheel. We are in this together so why not share relevant and timely information? For this purpose, the World Economic Forum launched the community-led Partnership for Cyber Resilience initiative at the Annual Meeting 2012 in Davos, Switzerland.
Their excellent report by the World Economic Forum summarises the survey results and proposes way forward. I recommend reading at least the executive summary of the report.
3. Security professionals should engage in debate with company executives on how to change the style of investments. As situations change quickly, organisations must prepare to jump on emerging threats fast. Many cyber threats do not need more technology, but rather use the one already in place better. Also, a slight change to company processes goes a long way.
My closing argument is simple: Be agile, spend wisely and engage in wide co-operation with government and other organisations.
Vladimir Jirasek is managing director of Jirasek Consulting Services.
Read more on how to build cyber security resilience
- Security Think Tank: Resilience is about understanding the real threat
- Security Think Tank: Resilience is both a technical and a business responsibility
- Security Think Tank: For cyber resilience, assume the worst
- Security Think Tank: How to build a resilient defence against cyber attacks
This was first published in July 2014