Maksim Kabakou - Fotolia

Security Think Tank: Cyber security is everyone’s responsibility

How can information security professionals help organisations to understand the cyber risks across increasingly digital businesses?

The UK government’s National Cyber Security Strategy discusses government plans to address cyber security issues in an increasingly digital Britain. Information security professionals have an important role to play in helping their organisations recognise the extent of cyber risk and take action.

Cyber security is everyone’s responsibility, so start by raising awareness across the organisation. People are an organisation’s biggest asset and also potentially its biggest risk, and how these people take decisions and behave in key moments are essential factors in strengthening resilience.

Capture the attention of the business with a “sell not tell” message. Promote a cyber secure culture by using business language – individuals switch off if they don’t understand what is being said.

A business relationship manager role (or similar) can be used to great effect, providing a bridge between the information security function and the rest of the business, helping to explain what needs to be done to support cyber security.

According to the UK government, only about 20% of businesses have provided cyber security training for their employees in the past year. If individuals are unaware of how to behave in key moments, they are likely to make poor security decisions.

Develop an awareness programme and prioritise the programme based on the risk profiles of employees. Secure behaviours can be reinforced with regular training and communications.

Organisations should focus on rewarding good security behaviour and having strategies in place to address behaviour that requires improvement. Leading organisations recognise that a network of trained information security champions from within the business can play a vital role in introducing and embedding positive information security behaviours.

The UK government wants UK business to take action. Various standards can be used to prioritise cyber security requirements and explain these priorities. Examples include ISO/IEC 27002 and the ISF’s Standard of Good Practice for Information Security.

Maxine Holt is principal analyst at the Information Security Forum (ISF). ..................................................................................................

Read more on IT risk management