Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Aside from the relentless barrage of cyber security attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with understanding that cyber security risks translate into business risks.
There is great potential for things to get lost in translation when cyber security threats and remedies for protecting the organisation are communicated to non-security professionals. The IT security department might jump to “red alert” as a result of a user opening a malware-bearing email attachment, where other people in the business won’t make the connection between opening the attachment and the level of cyber security risk involved. As our own research shows, for many businesses the cyber security threat landscape is getting worse.
You can download the Research Paper below:
Well-publicised breaches at Target, Ashley Madison, The US Federal Office of Personnel Management (OPM) and TalkTalk show that it is much easier to raise awareness if you define cyber security risks in everyday terms. A £10 million fine, a tarnished reputation or lost customers is far more impactful to business leaders and frontline staff than general references to “non-compliance” or data leaks.
The magnitude of the impact of these breaches is catapulting cyber security right up the business risk register, but there is still work to do. Ponemon research found that board members are increasingly aware of cyber security, but lack an understanding of the issues, which must limit their ability to evaluate situations and respond appropriately. The US NACD found that directors are dissatisfied with the information and clarity of cyber risk information they are given. This must be rectified before cyber-threats can be tackled effectively.
One challenge in bridging the communication gap is that cyber security threats mean different things to different people and invariably impact different elements of the business. The implications of specific cyber security risks or non-compliance can be unclear to senior managers for whom business objectives, deliverables and the bottom-line are more pressing. If the link between a threat and its ramifications are not clear or not evident, then the risks to the wider business can be obscure.
To change this, security professionals must translate cyber security into business risks language; presenting each part of the business with understandable and relevant information. This means stating not what the threat is, but providing intelligent metrics for cyber security. These metrics should clearly show what assets or information are at risk, how business activities and reputation could be impacted, the likelihood of the events and the consequences if the worst does happen.
Impacts must be tuned to the specific mandate of the individuals – a CFO will be more concerned with financial impacts (like the new fine regime under GDPR) than a CEO who would focus on reputational and strategic impacts.
For example, if you tell a Sales Manager that the organisation needs to invest to rectify some non-compliances with PCI-DSS standards, they are likely to view it as a technical issue to be delegated and resolved. If, however, you explain that the business could end up unable to accept credit card payments until the problems are rectified, there is a better chance of gaining business traction. Similarly, ransomware may not initially concern the business and its executives any more than any other form of malware or data loss – unless it is made clear that this risk is worsened by previous lack of investment in comprehensive data backups, patching that is hampered by a constant demand for uptime and resilience.
Aside from dealing with the difficulty of translating between technical and business issues, there is a need for greater collaboration in the security and compliance processes. There are more useful ways to approach compliance than seeing it as an annual tick-box activity. It must become a continuous, real-time process; with inbuilt quality improvement. Businesses need intelligent metrics for cyber-risk that show live, up-to-date security and compliance status of key systems and processes. This enables instant identification of problems and allows them to be dealt with before they become serious. Becoming fluent in risk means information is presented in a common and meaningful language across the business, so its importance is clear to everyone.
Ultimately, cyber security is not just an IT concern. It is a business-critical issue with ramifications for everyone. The only way to tackle threats effectively is to turn everyone into a business cyber security risk sentinel, so they understand risks relevant to their own role or part of the business. This means continuous security and compliance monitoring and familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through “testing and adjusting” of policy and compliance controls.
This collaborative approach will decrease the risk that a business will be hit by a damaging breach or a costly fine; but it also reduces the risk of cyber security threats the business has to face being lost in translation.
You should not have to wait for others to tell you that you are under attack. Instead, use Protective Monitoring to protect against attacks. Check out our infographic to support you in your work:
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.