Cyber-space is the land of opportunity for hacktivists, terrorists, and criminals motivated to wreak havoc, commit fraud, steal information, or take down corporations and governments. They can hide out in the dark web, geographically removed from the scene of their crimes, launching automated attacks on thousands of targets knowing a fraction will succeed.
Organizations operate in increasingly connected environments where the network perimeter has essentially dissolved. With new technical vulnerabilities being discovered every day, it has never been more important for businesses to assess and understand their critical infrastructure.
Reducing the Risk of Attack
Deploying cybersecurity measures is not enough. Risk management largely focuses on achieving security through the management and control of known risks, but rapid evolution of opportunities and risks in cyber-space is outpacing this approach. Organizations must extend risk management to include risk resilience, in order to mitigate any damaging impacts of cyber-space activity.
Cyber-resilience programs help anticipate and prepare for uncertainty with comprehensive rapid-response capabilities. Once one has acknowledged that cyber-attacks are unavoidable, the next logical step is to prepare and rehearse a decisive and effective response plan. Cyber-resilience recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. Above all, cyber-resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to an attack.
Utilizing Standards to Protect Against Risk
Business leaders recognize the enormous benefits of cyber-space — innovation, collaboration, productivity, competitiveness, and engagement with customers — but they have difficulty assessing the risks versus the rewards. That’s why the ISF has designed its new tools to be as straightforward to implement as possible. These ISF tools offer organizations of all sizes an “out of the box” approach to address a wide range of challenges: strategic, compliance-driven, or process-related.
For example, the ISF’s Standard of Good Practice for Information Security (the Standard) is the most comprehensive and current source of information security controls available. It enables organizations to adopt good practices in response to evolving threats and changing business requirements. The Standard is used by many organizations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from our global member organizations, and trends from the ISF Benchmark, along with major external developments such as new legislation.
Institute a Risk Assessment Process
Managing information risk is critical for all organizations, but effective only if it enables business strategies, initiatives, and goals. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of which risks could compromise business success and resilience.
It is important to remember that it is not feasible to defend against all threats. An organization therefore needs to look closely at its resilience: analyse and optimize the plans and arrangements in place to minimize impact, speed recovery, and learn from incidents.
Preparing Your People
Many organizations recognize their people as their biggest asset but fail to recognize the need to manage the human element of information security. People should be an organization’s strongest control. Organizations must go beyond security awareness training and policy to embed positive information security behaviors that will turn into habits, creating a sustainable security culture throughout the enterprise. The real commercial driver of security awareness activities should be risk, and how new employee behaviors can reduce that risk.
Adopting the perspective that disclosure will be more damaging than the data theft itself is a guaranteed way to damage customer trust. However, many organizations lack rehearsed incident response and tech-literate public relations plans. We urge our members to carefully consider their response, because your organization can’t control the news once it becomes public. This is particularly true as data breaches occur with greater frequency and the general public pays greater attention to privacy and security matters. I highly recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.
Requirements for Security Professionals in 2016…and Beyond
Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. As you prepare your organization to navigate the security minefield keep this guidance top of mind:
- Focus on the basics
- Re-assess risk from the inside out
- Adopt a risk vs. reward mindset
- Address major threats to mission critical information
- Think resilience, not security
Organizations of all sizes need to ensure they are fully prepared to deal with attacks on their business and reputation. The more resilience and security-oriented thinking you can embed into all aspects of your business strategy and planning, the more equipped you will be to respond effectively and move forward from a place of strength.