Understand the threats, vulnerabilities and assets inside and affecting your business to properly get an idea of your risk appetite.
Speaking at The European Information Security Summit, Will Brandon, CISO at the Bank of England said that as cyber is a modern problem, a modern cyber security strategy should consider that.
“Technology now expands at an exponential rate and progress in next two to three years will exceed all of the progress between now and 1958, that is the pace at which things are changing,” he said.
“Your strategy needs to start from an understanding of risk, and risk needs to have owners as who owns your risk? At the top level it is the board, as cyber is not a technology problem. Often a reflex to the problem is ‘where is the technology guy’, but it is a people and process problem too, and people need to be led and processes need to be managed. It is a management and leadership problem.”
Brandon claimed that leadership is about walking the walk, and said it is no good spending zillions on technology to protect yourself if you use insecure processes.
He said: “What are your critical processes? Ask the business. Have a way of understanding your assets and score them against the financial impact against the reputational impact and operational impact and you have a score.”
Once you have a score, Brandon said that this will help a business understand the capability and intent of threats, as if it is not against you it is not a threat.
“First and foremost have a risk register and know what the risks are, and have some form of risk governance for the business, as it has got to be part of governance,” Brandon said. “It must have representatives from IT security, information security, HR, procurement, legal: but if the company is not engaged it will not work.
“There has to be something programmatic going on in your business for this to work.”
He concluded by saying that technology will push a risk trajectory upwards, but the risks will push you back down, and with that understanding you can determine what the risk is and the risk appetite. “A conversation that helps the board and where everybody wants to be,” he said.