Cyber attacks and cyber espionage have become a ubiquitous challenge for organisations across all sectors of industry. Indeed, we are seeing successful attacks prompted by a variety of motives.
Traditional information security strategies focus on policies, controls and technology solutions. However, in most cases one would find that criminal acts, such as sabotage or cyber attacks, were expressly excluded from the security arrangements with the argument: "We cannot plan against everything".
As a result, many security strategies are directed at precisely the wrong things.
Cyber security, particularly in an organisational context, is about dealing with highly intelligent, versatile and determined opponents.
Obviously, this basic idea requires an approach that acknowledges the facts: Crime and espionage are out there and there is no point in perpetuating the Shire syndrome. We can no longer propagate the oft-quoted "culture of trust where we don't need that much security", nor can we abdicate from our responsibilities by stating that "we are small and uninteresting".
A well thought-out cyber security strategy will therefore address aspects of governance, risk and compliance / assurance as well as individuals whose use of information and IT determines the overall position of the organisation.
Read more on protecting IP
Three major game changers should be taken into account to set the scene for comprehensive cyber security:
1) ubiquitous broadband and the "always on" mode of use for individual and corporate devices;
2) the increasingly IT-centric nature of day-to-day processes and transactions;
3) the beginnings of a new social stratification based on IT skills and knowledge (or their lack).
In practice, many security standards and frameworks are yet to address these game changers. One of the leading frameworks for planning, implementing and managing cyber security is COBIT 5, published by ISACA.
While its overarching architecture addresses all aspects of information and its business use, several publications in the COBIT 5 product family offer specific guidance on information security, cyber security and technical aspects such as mobile device security.
In using COBIT 5, organisations will be able to demonstrate value, efficiency and effectiveness of their cyber security strategies, including those parts of the strategy concerning the individual.
As a starting point, the guiding principles developed for cyber security should be used for setting policy and direction. Further steps will likely include the use of the seven COBIT enablers, thus ensuring broad coverage of technical, managerial and assurance-oriented security items such as organisational structures, behaviour and culture.
It should be noted that cyber security is a gradual, iterative life cycle that must be established as a proper business process.
Rolf Van Roessing, is past international vice president ISACA and executive advisor at KPMG Europe