Blog post -
Five questions you should be asking about your business’ cyber resilience
2020 has brought about a lot of uncertainty for businesses across the globe. Huge changes have been made to business processes, technology strategies and workforces.
And, with this great change comes growing pressure to have a clear cyber security strategy in place that secures the future of organisations worldwide.
But how can organisations navigate their way through assessing their resilience after this period of change, and know what measures they can implement to ensure ongoing resilience?
We asked Joss Howard, senior advisor at NCC Group to share the five questions she thinks businesses should be asking themselves and why these are so important to building a robust cyber security posture.
1. What should be my number one cyber security priority for this year and what do I need to do to achieve its success?
When setting out your cyber security strategy and budget for the year, clarity on what the priority is, is very important. Without this, you can quickly lose top-level and business-wide support, which can make it harder for the security department to consistently implement changes that protect the confidentiality, integrity and availability of data and services across the business.
An effective and successful strategy will set out how cyber and information risk will be reduced and therefore, increase data and system protection and regulatory compliance. This should be underpinned by an action plan which sets out objectives, tasks, milestones and the budget necessary to achieve cyber security goals and boost resilience for years to come. Regularly reporting to the board and communicating throughout your organisation helps to ensure continuous buy-in across the business and ensure that goals are met.
Another driver for success is the use of skilled resources across your organisation – not just in the security department – to support the strategy, action plan and ongoing operations. Informing employees about the role they have in protecting their clients’ data as well as the wider organisation’s data is also crucial.
2. Is the cyber security strategy aligned with my business objectives?
This is a critical question when assessing your business’ cyber resilience. Many organisations are guilty of siloing the two when they should be closely aligned. A cyber incident or attack impacts not only your growth, but also your reputation and credibility. You will also have to deal with increased scrutiny from regulatory bodies, weakened stock value, unbudgeted recovery costs, impacted staff morale, and damaged operations.
Cyber security needs to be seen as a driver for business success, not a competitor. The more that non-security departments are involved, and the more that strategies are aligned with wider business objectives, the more successful you will be at reaching your business’ overall goals and creating a sustainable approach to cyber security.
Having a CISO can help other board members to understand how cyber security intersects with the wider business strategy. If you don’t have a CISO or aren’t required to have one but find yourselves needing extra support, virtual CISOs can be brought into your business to support this alignment and wider cyber strategy work.
3. Am I confident that the cyber security programme protects my business?
Having confidence in your security programme is paramount. Regularly assessing it will help you answer this question with a ‘yes’ and ensure that it is aligned to your risk tolerance, regulatory requirements and business strategy.
Incident response is key to providing you with the confidence that your business can react effectively and efficiently, whereas proactive, regular testing is important to ensure your business’ resilience.
Your security team also needs to be trained to understand and implement the latest regulatory requirements, react to current threats and be aware of future ones and how to convey these to the rest of the business.
4. Do I have the right information to manage my cyber risks?
A common problem we see with businesses is that they often don’t know the right key performance indicators (KPIs) to implement and measure.
While usual KPIs focus on operational security, such as the number of laptops in use and how many are encrypted, they don’t really inform the board on the success of security in reducing cyber risks. Smaller organisations can particularly struggle with this as they may not have the capability to measure their cyber security controls effectively. Larger organisations may have more resources to dedicate to this, but it doesn’t necessarily mean it’s happening.
Effective cyber security KPIs need to be clear, business-focused and have least margin of error. Key things that businesses should look to measure include their level of preparedness for an incident, if and when intrusion attempts have happened, the number of privileged accounts across the business, as well as tracking improvements or declines in security operations and use of security ratings to communicate their effectiveness to non-technical staff.
Taking a step back to assess this on a regular basis not only helps you get a better picture and understanding of your systems, but also gives you the tools to futureproof your business.
5. Do my compliance capabilities allow my business to comply with cyber security and data protection regulatory obligations while building resilience?
Global organisations have a plethora of privacy legislation and regulatory policy to comply with, as well as information security standards to certify against. For example, if a business has a footprint in Australia, Singapore, US, Germany, UK and Ireland, it would have to comply with at least 15 regulations and security frameworks. However, we have found that businesses often don’t have enough people or teams to help them meet these standards.
While the number of government and regulatory body requirements are increasing, it seems this is happening without any understanding of the consequences of the cost to the business to adhere to the regulation. This inevitably leads to gaps in implementation and businesses facing significant financial penalties or regulatory exposure as a result.
However, there are solutions that can help you reduce cyber risks and monitor compliance, starting with mapping out security controls against a regulatory framework, creating a control library that can be used as a benchmark, to ensure that you are meeting current and future compliance requirements, as most regulations and standards are overlapping.
The management of the control library will need to include input from data privacy and legal specialists, along with IT and information security professionals to ensure that the controls meet the legal and privacy requirements, and technologists to implement them.
As well as this, reporting of compliance needs to be managed by the business Audit and Risk Committee – or equivalent – who provide this status on a regular basis. This report needs to include current posture and understanding of future changes to the regulatory environment so that proactive actions can be taken, such as the assessment of current controls to meet the new controls.
While by no means exhaustive, these questions should provoke necessary conversations within your business about your cyber resilience, especially as the threat landscape continues to evolve.
Keep your eyes peeled for more content in the coming weeks, including first-hand insight into the role of a virtual CISO and the work they do with global businesses to boost their security posture.