The UK government’s latest National Cyber Security Strategy requires businesses to have a detailed understanding of the risks to their information systems and raise standards to mitigate them.
The challenge comes as businesses are becoming increasingly reliant on digital and online systems, making it all the more difficult to achieve a good understanding of cyber risks across the whole company.
In the digital era, new points of entry are opening up for most business from email to cloud environments, from mobility to applications, from the payment gateway to the datacentre and many more.
Information security professionals have a key role in digital transformation processes to ensure the business understands the risk, implements the necessary mitigations and accepts the residual risk.
But engaging with business leaders and boardrooms on cyber security can sometimes be as challenging as understanding the threat landscape in the first place, according to information security professionals.
Osterman Research shows that only 37% of IT security professionals believe risk is reduced as a result of conversations with their boards.
Many feel overlooked, ignored and underappreciated when trying to get a budget to address security holes, says Tim Holman, chief executive at 2-sec security consultancy.
“The challenge we face isn’t the business failing to grasp cyber risk, it’s addressing the communications gap between technical staff and business owners,” he says.
Cyber insurance a grudge purchase for business owners
Business owners also do not like spending money on anything that does not make them money, says Holman, adding that even cyber insurance is a grudge purchase.
“I’m never fond of paying a high premium, but I accept it if there’s a niggling feeling that I could lose my livelihood and house if I fail to get the right insurance cover,” he says. “And mitigating cyber risk is exactly the same. If companies don’t do it, they could go out of business.”
But businesses tend to be overconfident in existing defences and often doubt they could be seriously affected by a cyber attack, leaving infosec pros with the challenge of persuading them there is a real need to mitigate security risks.
Holman cautions against demanding cash after something has happened to plug a hole. “It’s about taking a proactive stance, dealing with cyber security before something happens, and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.
“I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business,” he says.
If that does not work, Holman suggests a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.
“Simulate a phishing email, put a malware test file on your CEO’s laptop, take your CFO’s laptop away for an hour and simulate critical hardware theft. Then leave a suspicious package in the mail room or simulate a web server hack to raise awareness over time, which will ultimately loosen the purse strings and get support for implementing change.”
Raising cyber security awareness
Cyber security is everybody’s responsibility, says Maxine Holt, principal analyst at the Information Security Forum (ISF). “Start by raising awareness across the organisation because people are an organisation’s biggest asset and also potentially its biggest risk. How these people take decisions and behave in key moments is essential to strengthening resilience.”
Holt advises capturing the attention of the business with a “sell not tell” message. “Promote a cyber-secure culture by using business language; individuals switch off if they don’t understand what is being said.”
A business relationship manager role can be used to great effect, providing a bridge between the information security function and the rest of the business. This helps explain what needs to be done to support cyber security.
According to UK government, only around 20% of businesses provided cyber security training for their employees in 2016. “If individuals are unaware of how to behave in key moments, they are likely to make poor security decisions,” she says. “Develop an awareness programme and prioritise it based on the risk profiles of employees. Secure behaviours can be reinforced with regular training and communications.”
Holt believes organisations should focus on rewarding good security behaviour and having strategies in place to address behaviour requiring improvement. “Leading organisations recognise that a network of trained information security champions from within the business can play a vital role in introducing and embedding positive information security behaviours,” she says.
Holt also suggests using various standards to prioritise cyber security requirements and explain these priorities to the business, such as the ISO/IEC 27002 code of practice for information security controls and the ISF’s Standard of good practice for information security.
Business as usual
Adrian Davis, managing director for Europe at (ISC)2, advocates a more “business as usual” approach. “As businesses become more digital by nature, cyber security has to become a part of everyday operations. This means seeing cyber security as another operational risk, such as physical damage or theft, rather than confined to the IT department. This approach has seldom been taken but is desperately needed.
“Businesses have to become more responsible for their own cyber security, and to achieve the government’s aims, we must move away from the misguided approach of reducing cyber security to a technology problem. Cyber security must be recognised as a fundamental component of business, a critical responsibility that business leaders must not ignore,” he says.
Davis believes infosec pros can help in communicating information risk as a business risk by looking at treating it as something more than a technical issue and assessing it in the context of customer service, PR and business reputation.
“These risks must be communicated in a way that clearly explains the potential harm to the business should a malicious or accidental incident occur. The risk treatments that can be put in place given the resources – and the residual risk to the business – must be clearly stated and updated as the business changes,” he says.
Read more about cyber security risk
- An essential part of information security is identifying and managing the risks, experts tell the European Information Security Summit 2016.
- UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security training, a study reveals.
- Politicians and business leaders will discuss the risks posed by technology to jobs, political stability and cyber security at the World Economic Forum in Davos.
Davis believes there needs to be a dialogue between business leaders, IT and information security around information risk.
“Business leaders should regularly and actively challenge IT and information security leaders on information risk and its business impacts, and not just accept that technology can solve the problem. This is a two-way street: as much as information security leaders can push this dialogue, business leaders must give the time to listen, comprehend and discuss,” he says.
According to Davis, organisations should also examine how to include information security requirements from idea through to design, development, engineering, testing and production of any product or service built, produced or bought by the business.
“This “security by design” approach is cheaper and more effective than adding security as an afterthought once the product is in market and problems arise,” he says.
An important element of the “business as usual” approach is for information security professionals to ensure it is easy for people in an organisation to follow good security practices, says Alex Ayers, co-founder and consulting director at Turnkey Consulting.
Different industries have different concerns
In addition, he says information security professionals need to recognise that security is one of the many things businesses are concerned about, and understand that different industries have different concerns. They must accept that “good-enough” security is an acceptable state, and understand that financially quantifying risk, while difficult to achieve, allows budget holders to make better funding decisions and are less likely to see security as a poor investment.
“As security professionals, it is very important that we communicate in ways that resonate with our audience,” says Ayers. “We may be comfortable talking about data exfiltration to a CISO, but that same terminology may leave a CFO or COO confused. We have to understand the risk in the context of the business to make our advice relevant and pragmatic to implement. By doing this, we are demonstrating value as trusted advisors.”
The threats to digital business are only going to get more complex. “As an industry, we need ensure we can attract and retain individuals who fulfil the broad spectrum of roles that the industry has to offer,” he says. “We need to recognise and reward business engagement skills in the same way we do technical skills, and provide clear paths for progression that do not involve leaving the industry.”
While digitally enabled businesses certainly have an increased attack surface, the key principles of cyber security best practice will always remain the same, says Ramsés Gallego, past international vice-president of the Isaca board of directors and strategist and evangelist in the office of the CTO at Symantec.
Alex Ayers, Turnkey Consulting
“Whatever the type of business, it’s fundamental that there is a plan in place that takes into account all of the emerging technologies we’re seeing, from cloud to increased mobility, big data and the internet of things (IoT).
“It is also critical that organisations, no matter the size or industry, comprehend where data that is instrumental for the day-to-day activities of a company lives and, in consequence, how it should be protected.”
Beyond the technical processes and procedures, Gallego says security professionals should also be familiar with the latest legislation and regulations that companies have to abide by, with a clear understanding of the various governance frameworks.
Tailoring the security message for business
Key to tailoring the security message for the business is recognising that businesses understand profit and loss, and the need and cost of marketing and sales, says Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.
Just as a company cannot survive without marketing and sales, many will – in the worst-case scenario – fall victim to an information security breach and fail without good information security.
The message that should be given to the business, says Wenham, is simply this: “If you don’t do X, Y will happen, and that will cost the business £Z.
“X is an information security control such as ensuring the IT estate is security patched with the latest patches, or that all people in a company are given regular training and education in being security-aware citizens who know what to do when things start to go wrong.
“Y is of course a security breach, which could be someone hacking into a company’s IT estate and taking copies of data. But it is more likely to be someone opening a malware-infected email attachment or clicking on a link in an email that takes their browser to a website that is a source of malware, which increasingly these days could be ransomware.
“£Z is the cost to the business of recovering from the breach. It’s the cost to the business that needs to be articulated, and in a way, that is understandable. Simply saying it will take two days to recover from a breach isn’t sufficient,” he says. “You also need to identify the potential cost to the business and of lost productivity across the whole company, the anticipated loss in sales, and the typical cost of using external specialist help.”
Wenham says a funding request should be written with the recommendations immediately following the management summary, and structured along the lines X, Y and Z.
“If there is a range of options available, prioritising the options along the lines of ‘must have’, ‘need to have’ and ‘nice to have’ will help the business reach appropriate decisions,” he says. “Detailed risk reviews and analysis, work identification and costs to implement, and the potential costs to the business if various work is not done should be included as supporting appendices.”