Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Aside from the relentless barrage of cyber security attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with understanding that cyber security risks translate into business risks.
There is great potential for things to get lost in translation when cyber security threats and remedies for protecting the organisation are communicated to non-security professionals. The IT security department might jump to “red alert” as a result of a user opening a malware-bearing email attachment, where other people in the business won’t make the connection between opening the attachment and the level of cyber security risk involved. As our own research shows, for many businesses the cyber security threat landscape is getting worse.
You can download the Research Paper below:
Well-publicised breaches at Target, Ashley Madison, The US Federal Office of Personnel Management (OPM) and TalkTalk show that it is much easier to raise awareness if you define cyber security risks in everyday terms. A £10 million fine, a tarnished reputation or lost customers is far more impactful to business leaders and frontline staff than general references to “non-compliance” or data leaks.
The magnitude of the impact of these breaches is catapulting cyber security right up the business risk register, but there is still work to do. Ponemon research found that board members are increasingly aware of cyber security, but lack an understanding of the issues, which must limit their ability to evaluate situations and respond appropriately. The US NACD found that directors are dissatisfied with the information and clarity of cyber risk information they are given. This must be rectified before cyber-threats can be tackled effectively.
One challenge in bridging the communication gap is that cyber security threats mean different things to different people and invariably impact different elements of the business. The implications of specific cyber security risks or non-compliance can be unclear to senior managers for whom business objectives, deliverables and the bottom-line are more pressing. If the link between a threat and its ramifications are not clear or not evident, then the risks to the wider business can be obscure.
To change this, security professionals must translate cyber security into business risks language; presenting each part of the business with understandable and relevant information. This means stating not what the threat is, but providing intelligent metrics for cyber security. These metrics should clearly show what assets or information are at risk, how business activities and reputation could be impacted, the likelihood of the events and the consequences if the worst does happen.
Impacts must be tuned to the specific mandate of the individuals – a CFO will be more concerned with financial impacts (like the new fine regime under GDPR) than a CEO who would focus on reputational and strategic impacts.
For example, if you tell a Sales Manager that the organisation needs to invest to rectify some non-compliances with PCI-DSS standards, they are likely to view it as a technical issue to be delegated and resolved. If, however, you explain that the business could end up unable to accept credit card payments until the problems are rectified, there is a better chance of gaining business traction. Similarly, ransomware may not initially concern the business and its executives any more than any other form of malware or data loss – unless it is made clear that this risk is worsened by previous lack of investment in comprehensive data backups, patching that is hampered by a constant demand for uptime and resilience.
Aside from dealing with the difficulty of translating between technical and business issues, there is a need for greater collaboration in the security and compliance processes. There are more useful ways to approach compliance than seeing it as an annual tick-box activity. It must become a continuous, real-time process; with inbuilt quality improvement. Businesses need intelligent metrics for cyber-risk that show live, up-to-date security and compliance status of key systems and processes. This enables instant identification of problems and allows them to be dealt with before they become serious. Becoming fluent in risk means information is presented in a common and meaningful language across the business, so its importance is clear to everyone.
Ultimately, cyber security is not just an IT concern. It is a business-critical issue with ramifications for everyone. The only way to tackle threats effectively is to turn everyone into a business cyber security risk sentinel, so they understand risks relevant to their own role or part of the business. This means continuous security and compliance monitoring and familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through “testing and adjusting” of policy and compliance controls.
This collaborative approach will decrease the risk that a business will be hit by a damaging breach or a costly fine; but it also reduces the risk of cyber security threats the business has to face being lost in translation.
You should not have to wait for others to tell you that you are under attack. Instead, use Protective Monitoring to protect against attacks. Check out our infographic to support you in your work:
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.