lolloj - Fotolia
The most mature organisations in terms of cyber security are beginning to translate cyber risks into business risks, according to Peter Woollacott, chief executive of Huntsman Security.
However, he said not all organisations his company has dealings with in Australia, Asia, the US and Europe have a complete understanding of the potential business impacts of cyber threats.
Despite the consequences of cyber attacks on high-profile businesses such as Sony, relatively few organisations understand the scale of the threat they face.
According to Woollacott, security suppliers and businesses need to change the language of security to express cyber risks in terms of risks to IT assets and associated business processes.
“Instead of talking about XYZ router failing, it is far more meaningful to talk about the risk of not being able to process payments,” he said.
By expressing a cyber risk in terms of business impact, a business can better assess the business risk and calculate the value of that risk, as well as what priority and resources should be allocated to mitigating that risk, Woollacott told Computer Weekly.
“If businesses do not understand the business impact of a cyber threat, they cannot really deal with cyber risks in the same way they deal with other business risks,” he said.
“Only if a business is aware that it is exposed to a cyber risk and the potential cost of that risk, can it correctly prioritise that risk against more traditional business risks.”
To achieve this better understanding, Woollacott believes that both businesses and the security industry have contributions to make.
“Within businesses, security teams need to be more specific about risks and incidents and express them in terms of business impact,” he said.
Read more about cyber risk
- Many UK firms are failing to adequately assess their customers and trading partners for cyber risk, Marsh's UK Cyber Risk Survey reveals
- The finance community is becoming more aware of the impact of cyber security but there is scope for significant improvement, according to this report from Ernst & Young
- Many company employees ignore cyber risks, exposing their organisations to attacks, a survey has revealed
However, he believes the security industry has a contribution to make in helping businesses deal with the security information overload.
“As an industry, we have to work to make it easier for businesses to aggregate and correlate security information to enable security analysts to make faster and better decisions,” said Woollacott.
In line with this philosophy, Huntsman Security has spent the past 18 months on improving automation processes to improve the speed and quality of information to analysts.
“We have built a portal for enabling organisations to identify the relevance and potential impact of cyber threats to their business,” said Woollacott.
“The next step is developing automated responses to help businesses deal with the large and growing volume of security information,” he said.
Woollacott believes there is a pressing need to distill security information down into something more manageable, and that ultimately, most responses to security alerts will be automated.
At the very least, he thinks systems will be able to automatically take actions to mitigate threats, leaving only the decisions that will most impact the business to security analysts.
“For small and medium businesses that do not have security operations teams and security analysts, probably the best way of moving to a better understanding of the risks they face is to tap into the resources of managed security service providers,” Woollacott said.
Although campaigning for change, he is optimistic. “A growing number of organisations are starting to ask questions about and review their return on security investments, which is an indication that they are starting to see information security as part of the broader investment decision and cyber risk as an integral part of business risk,” he said.