Enterprise risk management needs to be extended to create cyber-resilience, which is built on a solid foundation of preparation and teamwork.
Organizations must be agile in order to prevent, detect and respond effectively, not just to incidents, but to the consequences of cyber-attacks. An incidence response team comprised of departments from across the organization should be created to develop and test plans for pre- and post-incident. This team should be equipped and trained to respond quickly to an incident by communicating with all parts of the organization, including potentially comprised individuals, shareholders and regulators.
Dealing With Complex Threats
The array and complexity of cyber-security threats will continue to rise significantly in the next decade, and for businesses, the preparation time is now or the consequences will be felt later. As I mentioned earlier, managing risk from cyberspace must extend beyond information security to include risk on reputation, employee devices and third-party suppliers.
As they prepare to deal with these increasingly complex threats, businesses must consider three main drivers:
Internal Threats. As technologies bring new benefits to the enterprise, they also increase the potential for risk, particularly when businesses do not fully assess the security implications prior to purchase or implementation. Add rogue insiders to this mix and you have a lot more risk under your roof. Periodic reviews of the business impacts and risks stemming from the supply chain should be conducted. Employee policies and procedures for BYOD programs, as well as password logins, should be stepped up. Your security team should be involved at the outset to review security of any new suppliers.
External Threats. Cyber-crime, state-sponsored espionage, hacktivism and persistent attacks on critical infrastructure systems in the real world—the list is growing faster than your IT resources can keep up with. Enterprises would do well to follow the governmental approach of a unified situational-awareness approach with controls in place to monitor, detect and remediate problem areas in real-time. Collaboration and sharing of attack information with trusted law-enforcement agencies, as well as business partners, will help to reduce the risk from external threats.
Regulatory Threats. Compliance requirements, regulatory mandates, data privacy, the push toward greater private- and public-sector collaboration, and disclosure about security preparedness are all better managed with information security governance and better reporting. Incident response procedures should be in place and tested. In addition, improve your security assurance requirements for business partners.
Instituting a Cyber-Resilience Program
Organizations function in a progressively cyber-enabled world today and traditional risk management isn’t nimble enough to deal with the risks from cyberspace. Enterprise risk management needs to be extended to create cyber-resilience, built on a foundation of preparedness. From cyber-threats to insider threats, organizations have varying degrees of control over evolving security risks.
A comprehensive cyber-security program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current threats and enable a timely response and recovery. Using a resilience-based approach to apply cyber-security standards and practices allows for more comprehensive and cost-effective management of cyber-risks than merely compliance activities alone.
Cyber-resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack. By adopting a realistic, broad-based and collaborative approach to cyber-security and cyber-resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF), an independent, nonprofit association. His main areas of focus include the emerging security threat landscape, cyber security, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments. He was formerly a senior vice president at Gartner, where he was the global head of Gartner’s consultancy business.