Businesses must prepare themselves for the future so that they have the flexibility to survive unexpected and high-impact cyber-security events.
Preparation Is Key
Today, the stakes are higher than ever before. High-level corporate secrets and critical infrastructure are constantly under persistent attack and organizations need to be aware of the important trends that have emerged or shifted in the past year, as well as those that they should prepare for in 2014.
Organizations of all sizes are operating in a progressively cyber-enabled world and traditional risk management isn't agile enough to deal with the dangers from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparation, which evaluates the threat vectors from a position of business acceptability and risk profiling. From cyberspace to insider threats, organizations have varying degrees of control over evolving security threats, and with the speed and complexity of the threat landscape changing on a daily basis, far too often I'm seeing organizations being left behind, sometimes in the wake of major reputational and financial damage.
The Time Is Now
While it would be nearly impossible for businesses to avoid every serious incident, few organizations have a mature, structured approach for analyzing what went wrong. Organizations of all sizes must take immediately stock of their present situation in order to ensure that they are prepared and engaged to deal with these ever-emerging challenges.
Three key steps that businesses can take today to ensure that they are best equipped to deal with the challenges of operating in cyberspace are:
1. Prepare for the strategic challenge of operating in cyberspace by adopting a framework or set of policy guidelines, such as the ISF Standard of Good Practices or the NIST Cyber Framework, to begin the process of standardizing and consolidating their approach to being cyber safe. This can be used to improve resilience against low probability and high-impact events that can threaten the survival and success of the organization and to establish a comprehensive control framework to support effective information risk management.
2. Align cyber-security with stakeholder value by benchmarking the organization against standards, other companies and sectors, and gaining an overall picture of information security status across the business. This also allows you to compare performance with other leading organizations and identify areas of weakness for further investigation. From the stakeholder standpoint, it allows you to target spending where it will provide the most business benefit.
3. Assess business impact and risk mitigation focus areas by using a risk assessment methodology. Through a structured process of business impact assessment, threat and vulnerability identification, and relevance to your own business or organization, such an approach allows you to evaluate and select controls to reduce the likelihood of serious incidents occurring.
By adopting a realistic, broad-based and collaborative approach to cyber-security and cyber-resilience, CIOs will be better prepared to apprehend the true nature of today's global cyber-threats and respond properly. This will be of the greatest importance in 2014.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
To read his previous CIO Insight article, "The CIO's Secret Weapon: Stakeholder Pressure," click here.