Cyberspace is continuously evolving as its potential and threats, vulnerabilities, complexity and interconnectivity are in a constant state of change. As activists, cybercriminals and nation-states disproportionately increase traditional information risks, it’s becoming clear that the business risks associated with operating in cyberspace should be moving quickly to the top of most chief executives’ agendas.
Today, chief information security officers (CISOs) and other information practitioners are required to provide more accountability and considered opinion about the commercial, reputational and financial risks that go with cyberspace. Highly publicized breaches in the media, and more stringent regulation, have put the spotlight on information security in most organizations around the world. This has resulted in unprecedented pressure to assure stakeholders that sensitive information is secure.
The big question for governments, enterprises and individuals alike is how can these growing cyber threats be countered without losing the benefits of internet-based trade, commerce and communication? That’s a tall order given that cyberspace is constantly changing and has become an increasingly attractive hunting ground for criminals, activists and terrorists.
A Security-conscious World
There have been a number of initiatives proposed by governments around the world for tackling cyber threats. These range from allocating funds and creating legislation to protect critical infrastructure, to programs that mandate cooperation and collaboration between the government, enterprise and academia. Many of these are still unclear and under development. What is achievable, however, is to prepare an effective response to the inevitable attacks so that their consequences are minimized.
With cyberspace so critical to everything from supply chain management to customer engagement, holding back adoption, or disconnecting from cyberspace altogether, is simply not feasible. All this makes it imperative for governments and enterprises to build up cyber resilience. This can be achieved through a proportional approach that balances the need to protect organizations and individuals with the need to enable free, legitimate trade and communications.
But the commercial, reputational and financial risks that go with cyberspace are real and growing. In the drive to become cyber resilient, organizations need to extend their risk management focus from pure information confidentiality, integrity and availability (CIA) to include other risks, such as those to reputation and customer channels, and recognize the unintended business consequences from activity in cyberspace.
Managing Information Risk with Resilience
Establishing cybersecurity alone is no longer enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach, and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity.
As I mentioned earlier, cyber threats are not just an issue for the information security function; they require the involvement of every discipline within an organization and its partners and stakeholders. A coordinated, collaborative approach is needed, led by senior business leaders – preferably the chief executive or chief operating officer, certainly a board member. In order to be successful, organizations need to coordinate with customers, suppliers, investors, the media and other stakeholders.
Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected
Cyber Governance and Partnering
One key element of building cyber resilience is to establish a governance framework with board-level buy-in for monitoring online activities – including partner collaboration, and the risks and obligations associated with operating in cyberspace. Organizations should have a process for analyzing, gathering and sharing cyber intelligence with stakeholders. They also need a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity.
Here are a few questions to ask of your organization:
- How does information security support our business priorities, such as attracting and retaining customers, maintaining or growing competitive advantage and fostering innovation?
- If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was reasonably expected?
- Are we prepared for the future?
- How can we validate understanding of our information risks and how they are managed?
- Should we as an organization or board be changing our approach?
Today’s Emerging Threat Landscape
The array and complexity of cybersecurity threats will significantly increase, and businesses that do not prepare now will struggle to handle the challenges later. While individual threats continue to pose risk, it is the combination of them, along with the speed at which attacks may be launched, that provide the greatest danger.
Enterprises want to take advantage of developing trends in both technology and cyberspace; it makes sound business sense. To do so, however, they must manage risks beyond those traditionally handled by the information security function, including attacks on reputation and all manner of technology – from smartphones to industrial control systems.
New attacks impact not just technology, but business reputation and shareholder value. At the Information Security Forum (ISF), we are starting to see a clear link between publicized cyber-attacks and stock company price performance.
There are three main drivers that businesses must be aware of as they prepare to deal with these increasingly complex threats:
Internal threats that come as technology continues to develop at “tweetneck” speed, introducing new benefits but also raising the risk temperature as businesses adopt them without fully assessing the security implications.
What can you do to manage these internal threats?
- Review security implications of new suppliers and involve your information security team – at the outset
- Develop resilience to possible unforeseen interactions
- Conduct periodic reviews of business impact and security risks associated with each link in the supply chain
External threats that come from increasingly sophisticated cybercrime, state-sponsored espionage, activism moving online, and attacks on systems used to manage critical infrastructure in the real world.
What can you do to manage these external threats?
- Implement baseline security and improve your cyber resilience
- Establish ties with crime investigation and law enforcement agencies
- Collaborate and share attack information
Regulatory threats that come in the form of regulators, who grapple to implement legislation calling for greater transparency about incidents and security preparedness, and all the while increasing requirements for data privacy.
What can you do to manage these regulatory threats?
- Increase information security governance and plan for external reporting
- Prepare and test security incident response procedures
- Step up security assurance requirements for business partners
Don’t Think Cybersecurity…Think Cyber Resilience
Businesses operate in an increasingly cyber-enabled world, and traditional risk management just isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience – built on a foundation of preparedness – that assesses the threat vectors from a position of business acceptability and risk profiling. From cyber to insider, organizations have varying degrees of control over evolving security threats.
With the speed and complexity of the threat landscape changing on an almost daily basis, all too often we are seeing businesses being left behind, sometimes in the wake of reputational and financial damage. Businesses need to take stock now to ensure they are fully prepared and engaged to deal with these ever-emerging challenges.
Steve Durbin is global vice president of the Information Security Forum (ISF), an independent, nonprofit association. His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, outsourced cloud security, third-party management and social media across both the corporate and personal environments. He was formerly senior vice president at Gartner, where he was the global head of Gartner’s consultancy business.