Maksim Kabakou - Fotolia
First, they need the business to understand this is not just an IT issue. Instead, cyber security efforts should be focused on successful business outcomes enabled by risk management.
Second, an information security professional should always consider their cyber security needs to ensure time and money is not wasted.
Third, planning ahead will be key, as considering cyber security in the later stages of development or after a breach can be more expensive.
The first task for the information security professional is to move the discussion beyond IT and get cyber risks as a standing board agenda item. The catalyst for this can be a summary brief on the UK government’s strategy outlining some key themes.
The newly created National Cyber Security Centre (NCSC) has a primary focus of protecting critical national infrastructure. NCSC’s role to business is advisory; it is not a national cyber health and emergency service for every organisation. Therefore, a key theme to take to the board is that companies must look after their own cyber security.
Another key theme to outline is that the government seeks to become more interventionist. One example in the strategy is the application of the European Union (EU) General Data Protection Regulations (GDPR), effective May 2018. The fines under GDPR can rise to 4% of a company’s global annual turnover or €20m, whichever is higher.
When the board is engaged, the next step is to maintain a positive tone. The cyber security professional must become part of the enterprise risk management plan that enables business growth through exploiting the digital world.
A well-conceived plan will include training at all levels and organisational structures, along with governance, information asset classification and technological solutions.
Read more from Computer Weekly’s Security Think Tank about how infosec pros can communicate cyber risk
Correctly classifying information assets will be the start point to get the business to realise the value in the information it holds.
The information security professional will understand what needs to be protected to maintain a good reputation and avoid regulatory sanctions. This asset classification will also inform business cases that can lead to the replacement of assets that are old and difficult to protect.
The immediate output must be appropriate business continuity and disaster recovery plans. These are necessary to keep the business alive in the event of a cyber attack, fire, flood or the realisation of any other major business risk.
In the cyber security context, the process of planning is more important. The actual plan is unlikely to survive contact with an ever-changing digital world. The point at which it is too late to start planning is when you discover a breach.
Graham Ingram is a senior manager in the Deloitte public sector cyber risk advisory team.